Insecure protocols leave networks vulnerable: report

Enterprise IT managers prove to be too trusting of internal network protocols, as many organizations do not encrypt their WAN traffic, according to a new security threat report.

Secure Access Service Edge (SASE) provider Cato Networks this week released the results of its Cato CTRL SASE Threat Report for Q1 2024 at the RSA Conference in San Francisco. The report summarizes findings gathered from Cato traffic flows across more than 2,200 customers during the first quarter, adding up to 1.26 trillion network flows analyzed.

According to the report, many enterprises continue to run unsecured protocols across their WANs, which means when a bad actor penetrates the networks, they have fewer obstacles preventing them from seeing and compromising critical data in transit across the network.

“As threat actors constantly introduce new tools, techniques, and procedures targeting organizations across all industries, cyber threat intelligence remains fragmented and isolated to point solutions,” said Etay Maor, chief security strategist at Cato Networks and founding member of Cato CTRL, in a statement. “Cato CTRL is filling the gap to provide a holistic view of enterprise threats. As the global network, Cato has granular data on every traffic flow from every endpoint communication across the Cato SASE Cloud Platform.”

Hackers exploit internal network protocols

Unencrypted data traversing internal networks using certain network protocols isn’t necessarily secure because it resides within the network perimeter. Bad actors can leverage less secure protocols to scan environments and identify vulnerabilities to exploit.

For instance, Cato’s analysis found that 62% of environments run HTTP, a non-encrypted protocol. In addition, the report also shows that while the Secure Shell (SSH) Protocol is the most secure for accessing remote services, 54% run Telnet inside their organizations. Telnet connections are not encrypted and leave data unprotected.

Nearly half (46%) use Server Message Block (SMB) v1 or v2. The SMB protocol used for file sharing and other purposes has been updated in SMB v3 to protect against vulnerabilities. Still, Cato found that many organizations continue to rely on SMB v1 and SMB v2 despite known vulnerabilities such as EternalBlue and denial of service (DoS) attacks. SMB v3 also enforces the robust AES-128-GCM encryption standard, according to the report.

“The HTTP traffic analysis clearly shows that many organizations do not encrypt their WAN traffic,” the report states. “This means that if an adversary is already inside the organization’s network, they can eavesdrop on unencrypted communications that may include personally identifiable information (PII) or sensitive information such as credentials.” Access to such data could help bad actors with lateral movement, which involves methods to explore and find vulnerabilities within already penetrated networks. The lateral movement across network devices and applications can go undetected until hackers reach their ultimate target.

“To stop cyberattacks, enterprises should be using house machine learning modules based on company data and threat intelligence feeds. They also need to be careful of compromised systems within their organizations. Threat actors are leveraging them to scan (mainly SMB scanning) the network for vulnerabilities,” the report states.

Bad actors spoof popular shopping sites

Separately, Cato’s traffic analysis report uncovered the most frequently spoofed shopping sites, which are often used in phishing and spoofing attempts so hackers can get access to personal information.

These cybersquatting efforts, also known as domain squatting, use a domain name to capitalize on the reputation and recognition of a brand that belongs to someone else. By incorporating common typos or slight word differences into domain names, bad actors can pose as legitimate sites and gain access to users who mistakenly entered the typo.

According to the report, Booking, Amazon, and eBay are the top three well-known brands involved in spoofing attempts. Other commonly spoofed brands include Pinterest, Google, Apple, Netflix, Microsoft, Instagram, and YouTube.