Internet hygiene still stinks despite botnet and ransomware flood

Network security has improved little over the last 12 months – millions of vulnerable devices are still exposed on the open internet, leaving them defenceless to the next big malware attack.

A follow-up audit by Rapid7 – the firm behind the Metasploit pen-testing tool – found that more than a million endpoints were confirmed as exposing Microsoft file sharing services (Server Message Block, TCP port 445). The majority (800,000) of these systems were on Windows, leaving a target-rich environment for WannaCrypt, the ransomware worm that infected many NHS hospitals and enterprise targets worldwide last month. The SMB SYN scan results increased by 17 per cent this year compared to the same audit last year (4.7 million to 5.5 million nodes).

SYN scanning for Telnet in 2017 returned just under 10 million responsive nodes, compared to 2016's scan results of over 14.8 million. This 33 per cent drop in apparent Telnet services can almost certainly be pinned on a response to Mirai, BrickerBot, and other botnets. Mirai was responsible for a DDoS attack on DNS provider Dyn last October that left scores of high-profile websites unreachable for hours as domain lookup queries failed to resolve.

Rapid7 hopes its research will encourage enterprises and consumers alike to adopt more restrictive security policies, shielding kit from attack by disabling ports or protecting them with firewalls. The consequences for poor internet hygiene will be messy, it warns.

"Server ransomware, ransomworm propagation, insecure Internet of Things, and dozens more headlines reminded us, almost monthly, that the internet is, indeed, a fragile ecosystem that needs deliberate care and attention," Rapid7 concludes. "Being mindful of both what your organization deploys and how those services are deployed and maintained can have a significant impact on the health of the entire internet." ®