Post-WannaCry, 5.5 Million Devices Still Expose SMB Port

In its annual National Exposure Index report, Rapid7 found 160 million computers, IoT devices and servers with open ports that should not be exposed to the public network.

If you thought WannaCry inspired a global wakeup call and a massive crackdown on exposed and dangerous ports, you would be wrong.

In its annual National Exposure Index report, Rapid7 found 160 million computers, IoT devices and servers with open ports that should not be exposed to the public network. The ambitious project scanned more than three billion IP-addressable, public internet servers and checked for exposed services on 30 different ports on each device.

When it came to WannaCry, and the file-sharing SMB port 445, the numbers were bleak.

In 2016, 4.6 million internet connected devices left port 445 wide open. When Rapid7 checked again, post the peak of the WannaCry outbreak, it found 5.5 million internet-connected devices with exposed ports.

“We were just as confused by those numbers as anyone else,” said Bob Rudis, chief data scientist, Rapid7.

Approximately 800,000 of those SMB ports, Rapid7 said, were on Windows systems and specifically vulnerable to the wormable WannaCry ransomware.

Things are notably better when it comes to protecting vulnerable Telnet ports that fueled the Mirai botnets. The number of those ports vulnerable dropped from 15 million to 10 million during the past year–a 33 percent reduction.

“We firmly believe that awareness around Mirai and BrickerBot played a role in the securing of ports and the move from using Telnet to SSH for device communications,” Rubis said. SSH stands for Secure Shell and is the industry standard replacement for Telnet.

“With all the talk about Mirai and the people taking over these cameras, we were really hoping if people knew that cameras and the internet of things were running off port 23, we would see a reduction of the number of things on port 23,” researchers wrote in their report released Wednesday.

In the report, Rapid 7 also looked at worst-offender nations when it comes to open and exposed ports. The most exposed regions include Zimbabwe, Hong Kong SAR, Samoa, the Congo Republic, Tajikistan, Romania, Ireland, Lithuania, Australia and Estonia.

The premise of the report wasn’t to focus on botnets and exposed SMB ports. The report is meant to highlight the fact an internet absent of cryptographic protection only encourages a hostile environment endangering both the virtual and the physical world of those devices connected to it, Rapid7 said.

“Widespread internet exposure makes for an environment attractive to criminals and other malicious actors, as well as accidental data breaches,” the report’s authors wrote. “This year, we continue this investigation into the risk of passive eavesdropping and active attack on the internet, and offer insight into the year-over-year changes involving these exposed services,” researchers said.

To that end, bright spots in the National Exposure Index include Belgium. Last year, the country topped the list of worst offender countries when it came to IP-addressable, public internet servers offering exposed services. This year it didn’t even make the top 50 worst offenders.

Belgium dropped by 250,000 exposed servers during the past year from more than 500,000.

In Belgium a greater percentage of the 30 ports looked at ran insecure services compared to other geographic regions.

In the United States, home to the largest allocation of IPv4 addresses in the world (1.6 billion), it has a remarkably low ranking on the National Exposure Index. The ratio of SSH to Telnet is 82 percent (smaller than other nations) and the exposed SMB and database percentages in the U.S. are at 0.1 and 0.3 percent, according to the study.

“That said, since the United States has such an enormous presence, those small percentages of unsafe services still represent significant exposure – there are over two million machines on the internet that appear responsive on SMB’s port 445, and over four million database servers responding on the Mysql and
Microsoft SQL server ports of 3306 and 1433,” according to the report.

Suggested articles