Over two-thirds of companies still run software with WannaCry flaw


Danny Bradbury

13 May, 2021

Four years after the global WannaCry and NotPetya ransomware attacks, two-thirds of companies still haven’t patched the vulnerabilities that caused them, according to cloud network detection and response company ExtraHop.

The company investigated data from its Reveal(x) security platform in the first quarter of 2021 to determine which protocols its customers were running. It found that 88% of them were still running at least one device using SMBv1, which was a pivotal attack vector for the EternalBlue exploit used in the two ransomware attacks. 

Although a single device could mean a company is maintaining it just for use by an attack team, a more worrying statistic was that 67% of companies are running over 10 SMBv1-enabled devices. Over two-thirds (37%) were running more than 50, and 31% of companies checked had over 100 SMBv1 devices on their networks.

The report also highlighted heavy use of two other protocols in Windows servers. The first, called Local Loop Multicast Name Resolution (LLMNR), is an alternative to DNS for resolving basic names within a private network. It has a similar problem to Windows’ old NetBIOS naming service, in that it communicates with all clients on the network rather than a specific server. 

That enables an attacker to listen for and reply to access requests, creating a race condition to harvest the client’s hashed credentials if it establishes a conversation quickly enough. It can then decrypt those credentials, giving an attacker access to a client’s network account, or use them in a pass-the-hash attack.

The other protocol, New Technology LAN Manager (NTLM) v1, is a decades-old network authentication mechanism that has long been obsolete. Nevertheless, over a third (34%) of companies have over 10 devices using it, ExtraHop said. Almost one in five (19%) had over 100 devices using the protocol, despite Microsoft advising people to stop using it altogether in favor of the more secure Kerberos system.

The report also found that few companies had embraced using TLS encryption over HTTP (HTTPS), which browser vendors have aggressively enforced. It found that 81% of enterprise environments were still using HTTP to send access credentials in plain text.

ExtraHop said it analyzed over four petabytes of traffic each day in its investigation of online protocol usage.