Majority of FTSE 250 Companies Expose Multiple Weaknesses to Internet: Analysis
Rapid7 has analyzed the visible cyber exposure of some of the UK’s largest companies — the FTSE 250. It did this by using its proprietary internet-wide Project Sonar scanning platform, and its passive sensor (honeypot) network, Project Heisenberg. The results (PDF) are discouraging.
The research team used Sonar to examine five areas: overall attack surface; presence of dangerous or insecure services; phishing defense posture; old and/or unpatched services; and third-party website dependency risks.
Heisenberg was used to determine any indications of existing compromise within the companies. In theory, there should be no traffic from the tested companies hitting the honeypot — and where it does happen, the researchers are able to determine or make educated guesses about malicious activity occurring within the companies.
Six types of malicious activity were determined: DNS DoS activity; mail access brute-forcing; SMB activity like that used by WannaCry and NotPetya; SSH/LDAP encryption brute-forcing; Telnet/FTP/IMAP/LDAP (cleartext brute-forcing); and Web API/Admin weakness probes.
“Traffic that is unambiguously sourced from the FTSE 250+ speaks to a lack of egress filtering from these organizations,” says Rapid7. “Network administrators are accustomed to making sure connectivity is both smooth and uninterrupted and fixing things when connections fail. On the reverse side, though, their job is to also prevent errant and malicious traffic from leaving their domains. Outbound traffic rules should be regularly audited and tested, both from the data center and from deep inside the LAN, to ensure that a misconfiguration doesn’t result in an accidental self-breach.”
The Project Sonar analyses are not a penetration test, and only examine security indicators that are visible to the internet. They therefore do not provide any indication of a company’s internal security posture. Nevertheless, some of the indications analyzed indicate exposure to external threats that are as visible to hackers as they are to Rapid7. That they are present in the largest companies with sufficient budget for large and top-quality security teams does not auger well for smaller companies with smaller budgets.
The overall attack surface is simply a count of the number of systems with an internet presence. On its own, it is a neutral indicator, since all the systems could be adequately protected. Nevertheless, it is an example of a firm presenting a larger attack surface than might strictly be necessary. The average figure across the entire FTSE 250 is approximately 35 exposed services; but eleven firms had more than 100, and one more firm had more than 1000.
“Organizations should strive to only expose systems and devices on the internet if they support business processes,” says Rapid7. Beyond this, asset identification and configuration management must be sufficiently robust to prevent any services being ‘forgotten’ and becoming a hacker entry point.
The analysis of dangerous or insecure services focuses on two of the most critically available services in use: Telnet and Windows file sharing. Windows Server Message Block (SMB) is particularly problematic. It is a complex all-in-one file sharing and remote administration protocol, and has been used by hackers for decades (Conficker in 2008 and EternalBlue-based malware from 2017).
It is the cleartext nature of Telnet that makes it a risk. “An attacker in the proper network position can read any usernames, passwords, or data being transmitted — and endpoints with weak, default, or eavesdropped passwords can be hijacked to run malicious code directly by the operating system,” comments Rapid7. Reassuringly, only a handful of companies in the FTSE 250 expose either of these services — far fewer, for example, than companies in Fortune 500. Nevertheless, Rapid7 recommends blocking port 445 (the SMB port) at firewalls, and not using Telnet at all (SSH should be used instead).
Rapid7 also notes that nearly 20% of the FTSE 250 companies do not require the use of HTTPS on their primary domains, putting visitors at risk of person-in-the-middle attacks.”
Rapid7’s ‘phishing defense posture’ is based on indications of DMARC usage gleaned from DNS records. DMARC can be set to one of three levels of response: reject, quarantine or none. ‘None’ is effectively equivalent to not using DMARC at all, but owing to the complexity and difficulty of implementation, companies with DMARC implemented but set to ‘none’ could likely be in the process of full implementation. Nevertheless, 88% of the FTSE 250 currently has weak or no DMARC anti-phishing defenses. This compares badly with similar early studies for the U.S. (72% of the Fortune 500) and Australasia (68% of the ASX 200).
“Planning and deploying a properly restrictive DMARC configuration takes time,” comments Rapid7, “which is reflected in the three DMARC policy levels, but it’s a time investment that can vastly improve a company’s internal and external email security posture.”
Keeping up to date with software versions and patches is an often-repeated basis for good security. “Unfortunately,” notes Rapid7, “most organizations in the FTSE 250+ are running older and often unsupported versions of the three most prolific web servers: Microsoft’s Internet Information Services (IIS), Apache HTTPD, and nginx.” It was a failure to patch Apache Struts that let the hackers into Equifax in 2017.
Sonar discovered 1,905 Microsoft IIS servers with attributable version numbers in 194 organizations. More than 50% of the companies run only one or two different versions of IIS, but 8% maintain 4 or more. “This version diversity and the discovery of end-of-life IIS versions increases defense and management complexity and further increases the likelihood of down-version IIS servers becoming an intrusion conduit for attackers.”
It gets worse with Apache and nginx. Sonar found 549 Apache servers with 37 distinct version numbers in 84 organizations. Most of these are well over a year old, and indicate that organizations are not keeping their Apache installations up to date. It also found 590 nginx servers in 66 organizations.
For the FTSE 250, comments Rapid7, “nearly half the organizations maintain two or more different internet-facing web server vendor technologies. The combined vendor and version diversity substantially increases the risk of overlooking configuration weaknesses that potential attackers are more than ready to find and exploit.” Companies, it adds, should strive for vendor and version consistency.
Third-party risk exposure is a hot topic. It is the basis of the supply chain attack used by criminals (for example, Magecart) and nation-state groups alike (for example, APT10). But it isn’t just the potential for ‘island hopping’ that is Rapid7’s concern here. It is the unavoidable use of third-party services in website processes, the inevitable leakage of information about those services, and the subsequent potential for targeted phishing attacks based on the leaked data.
“If organizations begin to stray from established and resilient service providers,” warns Rapid7, “they boost their risk of successful phishing and other types of attacks by observant, capable attackers who simply need to make a handful of DNS queries to create a list of targets.” Of course, those same DNS queries could indicate a third-party provider used by a large number of organizations — which would make that provider a prime target a prime target for commencing the traditional supply chain attack.
Overall, it is not simply the degree of risk displayed by the FTSE 250 companies that concerns Rapid7. Since such organizations can be assumed to have substantial resources and technical expertise, “the findings suggest that the severity of exposure may be greater for the many thousands of organizations smaller than those in the FTSE 250.”