Rapid7 report millions of endpoints exposed via SMB, Telnet Ports

A study conducted by the security firm Rapid7 revealed that millions of devices remain exposed to cyber attacks via  SMB, Telnet, RDP, and other types of improper configurations.

Rapid7 published the second report National Exposure Index that provides Internet service providers (ISPs) worldwide information about the global exposure of devices.

The researchers scanned the Internet for improperly configured services, such as the recently exploited Server Message Block (SMB) and Telnet that were respectively targeted in the WannaCry attack and attacks based on IoT botnets (i.e. Mirai, Persirai).

The experts counted 5.5 million machines with SMB port exposed, the data is alarming considering that prior May 2017, when WannaCry spread, the number of exposed devices was 4.7 million.

According to Rapid7, 800,000 of endpoints exposing Microsoft file-sharing services (SMB, TCP port 445) are Windows systems.

“Over 1 million endpoints were confirmed exposing Microsoft file-sharing services (SMB, TCP port 445), with 800,000 of them being confirmed Windows systems, spanning virtually the entire product and release version lineage of the company.” states the report. ““This made for a target-rich environment for WannaCry, a “ransomworm” that spreads in part through an SMB exploit made public in May of 2017. This vulnerability was also actively sought out in May 2017, with SMB port scan results increasing by 17% (4.7 million to 5.5 million nodes). Blocking port 445 would mitigate potential threats like this”

The analysis of devices with exposed telnet (port 23) revealed roughly 10 million devices exposed to attacks. In this case, the number of exposed devices is decreased from the 14.8 million exposed devices discovered last year, anyway the situation is still alarming.

“Port scanning for telnet (port 23) in 2017 returned just under 10 million responsive nodes, compared to 2016’s scan results of over 14.8 million. This 33% drop in apparent telnet services can almost certainly be pinned to two developments: 1) ISP

1) ISP actions, such as closing port 23 in response to the Mirai botnet, and 2) Mirai, BrickerBot, and other botnets knocking nodes offline.“” continues the report.

The drop is likely caused by the action of ISPs that started closing port 23 following the botnet attacks.

The researchers highlighted that other services exposed to the Internet cpild be exploited by hackers, including FTP (port 21), RDP (port 3389), PPTP (port 1723), rpcbind (port 111), MySQL (port 3306).

Rapid7’s estimated that over 90 million endpoints running these inappropriate services are exposed on the Internet.

Zimbabwe, Hong Kong SAR, Samoa, Republic of the Congo, Tajikistan, Romania, Ireland, Lithuania, Australia, and Estonia are the most exposed countries.

“The most exposed regions are Zimbabwe, Hong Kong SAR , Samoa, Republic of the Congo, Tajikistan, Romania, Ireland, Lithuania, Australia, and Estonia. No discussion of national exposure would be complete without reference to the three major cyber superpowers: the United States, China, and the Russian Federation. While both the Russian Federation and China are among the top 50 most exposed nations, the U.S. has relatively low exposure in relation to its enormous IPv4 address space” states the report.

Experts at Rapid7 scan 30 service ports and also analyzed the exposure to two “canary” TCP ports, port 5 and port 61439. The experts discovered 3.2 million devices exposing services on these two ports, and more than 2.3 million IPs located in 133 countries exposed both ports at the same time.

The study also revealed many services that aren’t encrypted, such as HTTP.

Give a look at the report, it is full of interesting data on the global exposure

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  SMB, Internet)

[adrotate banner=”13″]