Andrea Danti - Fotolia
Businesses are being urged to review what they are exposing to the internet to reduce their vulnerability to attack, after a study revealed many were still leaving the door open to attackers.
More than 800,000 of these were Microsoft Windows systems across most products and versions using the server message block (SMB) file-sharing protocol, while port scanning for SMB port 445 returned 5.5 million responsive nodes.
This finding shows why the WannaCry ransomware attack in May 2017 spread so widely in a short period due to its use of an SMB exploit leaked by the Shadow Brokers hacking group. More than 200,000 computers in 150 countries were affected before the international security community was able to halt the spread of the malware.
The use of open source file-sharing software Samba also exposes organisations to risks of similar vulnerability exploits, said Tod Beardsley, principal security research manager at Rapid7.
“Organisations should review their use of file-sharing services, identify where they are absolutely necessary, and eliminate them wherever possible,” he told Computer Weekly.
Tod Beardsley, Rapid7
Instead of using file-sharing services such as SMB and Samba, Beardsley said organisations should use cloud-based services that are inherently more secure through the use of the hyper text transfer protocol (HTTP) over the secure sockets layer (SSL), commonly known as HTTPS.
“And where file-sharing services [such as SMB and Samba] cannot be avoided, organisations should put them behind a virtual private network [VPN] which solves much of the problem,” he said. “I can’t think of any sane business process that would require exposing SMB or Samba to the internet.”
Beardsley warned that while WannaCry had helped raise awareness of the importance of securing file-sharing services such as SMB against access from the internet, many organisations were not aware that they were exposing databases directly to the internet, which is also a big risk.
Act before the damage is done
The study noted that the ransomware attacks on unauthenticated NoSQL databases at MongoDB in January 2017 appear to have had little influence in encouraging organisations to reduce the exposure of more traditional MySQL and Microsoft SQL Server databases.
Nearly 8.3 million MySQL and 3.4 million Microsoft SQL Server nodes were found to be accessible directly from the internet, according to the Rapid7 report.
“It seems that it will take a major attack, like WannaCry or Mirai, that causes quite a bit of damage before organisations take action on this, and I worry we will see a major database attack in the next year,” said Beardsley.
Tod Beardsley, Rapid7
Such attacks could be avoided if organisations act now to take all their databases offline, he said, but it usually takes a major attack before there is any significant response.
On a positive note, Beardsley said the latest exposure report showed that a concerted effort can have a marked effect.
“The 2016 report identified Belgium as the most exposed country, but the number of IP-addressable public internet servers offering exposed services in Belgium dropped by 250,000 in the past yea. Belgium is no longer among the top 50 most exposed regions, largely due to this action, which shows that national technical leadership can reduce regional exposure,” he said.
Belgium is currently ranked at 179 on the exposure index, which Beardsley attributed mainly to the country’s efforts to correct configurations and turn off everything that is not really needed.
“This is what we like to see because we feel it is no longer appropriate to throw anything out there and that there should be some husbandry on the internet to prevent attackers taking advantage,” he said.
UK among the 50 most exposed countries
According to the 2017 report, Zimbabwe is the most exposed region, mainly due to poor default settings used by local internet service providers.
Ranked second is Hong Kong, followed by Samoa, Republic of the Congo, Tajikistan, Romania, Ireland, Lithuania, Australia and Estonia.
The UK showed some improvement, moving from being ranked the 23rd most exposed country in 2016 to 37 out of 182 countries covered by the report in 2017.
“This is not terrible, but it is not great either,” said Beardsley, pointing out that the UK is still in the top 50 most exposed countries.
This is, in part, due to the fact that the UK is fairly heavily invested in Microsoft products that use SMB, the relatively large number of legacy systems and network-attached storage (NAS) devices on the internet, he said, reiterating that at all file-sharing services and NAS devices should be put behind a VPN.
While the UK is less exposed than Ireland (7), Australia (9), Denmark (11), France (14) and Spain (34), it is more exposed than Canada (43), Portugal (44), New Zealand (46) and the US (137).
According to the report, the 50 most exposed regions offer more exposed services in relation to their total “size” on the internet – often in the 2-5% range, whereas the least exposed regions tend to expose well under 1% of their IP address space.
Some security progress
The 2017 report also revealed progress regarding the number of telnet ports. Port scanning for telnet port 23 returned just under 10 million responsive nodes, compared with 2016’s scan results of more than 14.8 million, which is a drop of 33%.
This reduction, said Beardsley, is almost certainly due to the actions of internet service providers (ISPs), such as closing port 23 in response to the Mirai botnet, BrickeBot and other botnets knocking nodes offline. As a result, there has been an increase in the use of the secure socket shell (SSH) protocol.
There is no reason to use telnet today because there are more secure alternatives, he said, but many older internet of things (IoT) devices have telnet enabled by default, which accounts for many of the new instances of telnet being detected.
Rapid7 is also seeing a positive response to security warning messages by manufacturers of IoT devices. “We have a dedicated IoT practice, and part of that work is looking at how things are being built and validating default configurations. We are seeing improvements,” said Beardsley.
“IoT makers are doing more correctly out of the box. They are not enabling everything possible, for example, and command and control communications are more commonly encrypted using SSH or HTTPS, so we are making headway,” he said.
The report concludes that being mindful of both what an organisation deploys and how those services are deployed and maintained can have a significant impact on the health of the entire internet.
“As more individuals and organisations move critical internal and personal services to the cloud, host new applications and attach more ‘things’ to the public internet, such mindfulness will be more critical than ever if we wish to keep commerce and content flowing fast and freely,” the report said.
However, Beardsley is optimistic that the use of insecure practices and protocols will diminish as more organisations move into the cloud and migrate to managed service providers that follow best practice and continually review and update their default settings.