Unchecked Attack Surface : Actor’s Delight

In a world where privacy is a myth and cyberattacks are more common than ever. Protecting one’s digital assets requires planning, timely mitigation and effective execution. Therefore, it is paramount to consider one’s safety in the digital world.  Maintaining a perfect inventory of every internet-exposed item has become an insurmountable issue with the rise of Cloud Computing and the mandate to work from home. This issue can be resolved simply by scanning possible vulnerabilities that could prove to be a grave threat for the organization via External Attack Surface.  

Monitoring Insights

Volon helps customers to proactively identify and protect their assets from being exposed knowingly or unknowingly, following are some of the common findings encountered in the most of the scans 

 1. Multiple unique public-facing assets were found to be exposed around well-known TCP services

Implication: An attacker uses this opportunity to exploit the vulnerability by providing crafted user input to the SSH or SFTP command- line interface (CLI) during SSH or SFTP login. This compromises the authentication and integrity of the asset. This can also further lead to providing root privilege access to the attackers.  

RDP Exposure: Recently, Volon Research reported where a threat actor ‘utopdop’ advertised the Network access via RDP claiming to be of three unnamed American and one Malaysian company has a yearly revenue of $100 Million to $1 Billion 

Citrix Exposure: Recently, Volon Research reported where a threat actor ‘Ahnenerbe’ advertised network access via Citrix to 3 unnamed companies based out of Italy and Spain, having yearly revenues between $40 million to $98 million 

2. Websites found exposing Unencrypted Form/Login Page. 

Implication: Multiple websites exposing unencrypted form/login pages implies that the communication channel between the organization and the end-user is not protected. Attackers can steal the data via MITM Attacks. This may lead to users giving out their sensitive data to the attackers.  

Recently, Volon Threat Research performed an online engagement with an actor who operates by the handle ‘BOOK_1’ on the English language cyber-crime forum ‘Raid’. The engagement was performed on the basis of the actor’s post about selling the database claiming to be of an unnamed Taiwanese e-commerce company, containing the details of about 500K users.  The stolen credentials of end-users were unencrypted.  

Sample Screen Capture  

3. Assets running possibly vulnerable software

Implication: Software Vulnerability may have three types of impact depending upon the mitigation techniques an organization uses:

  • Privilege elevation- An attacker who exploits this vulnerability could get elevated privileges on a compromised system, potentially allowing them to delete data or take control of systems for malevolent purposes.
  • Publication of information- An attacker who takes advantage of this flaw could gain access to sensitive information.
  • Denial of Service – An attacker who takes advantage of this vulnerability could prohibit allowed access to computer resources or disrupt system operations.

 

4. Assets identified that had expired SSL Certificates and few of which are about to get expired

Implication: When a company’s certificate is expired or about to expire, the company may risk its encryptions and mutual authentication. As a result, both the website and the end user are highly prone to attacks. For instance, an attacker can easily create an identical website to lure the customers/end users into giving their data, this also damages the reputation of the brand.

 

5. Assets identified in multiple anti-spam or similar blacklists

Implication: An email blacklist is a repository of email addresses, IP Addresses, domain names and various other assets that are discovered for phishing and spam attacks. Perhaps, the most common reason why legitimate email users end up getting blacklisted is because their accounts get hacked to inflict spam attacks and phishing attacks. This compromises the brand value and disrupts the communication flow.

 

6. Web servers found to be exposing the default welcome page.

Implication: The “default web page” vulnerability can be used to identify inactive Web servers that are running on a host. Stopping the Web server frequently resolves a slew of other vulnerabilities related to the (unnecessary) Website. Default Pages often give out the version of the server being exposed therefore the organization becomes an easy target for the attacker. Since, attackers can simply use the vulnerability of the particular version to attack the organization that are easily available in the market.

This issue is caused by Server misconfiguration, which permits access to default pages when the server is not in use. Remote attackers will be able to get sensitive information that will aid in future assaults if the exploit is successful.

Default Page

7. Assets relating to Database exposure.

Implication: The exposure of sensitive data occurs as a result of inadequately safeguarding a database where information is maintained. This could be due to a variety of factors such as faulty encryption, no encryption, software vulnerabilities, or when someone uploads data to the wrong database. Hackers seek out personally identifiable information and other data to steal money, compromise identities, etc. Data stolen is often sold in the Darkweb which further makes the user/organization more prone to future attack

 

Take Away

It is imperative for organizations to understand and keep track of their exposed assets, as they serve as “Attack Surface” for threat actors to open a door into the greater infrastructure. Regular monitoring of ‘External Attack Surface’ provides the right combination of security measures and early detection of threats ensuring 360° coverage to a company’s assets and helping companies pivot their security mechanism by improving their overall security posture.

 

– Naveen Madhawan / Simran Kothari

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Kapil has over 19 years experience performing multiple consulting, business development and operations profile in technology & finance sector.

Before founding Volon, he was based in Stockholm, Sweden and worked at Capgemini as Client Director and Business Development leader in Nordics.

Previously he worked at a PE (India Value Fund) owned Digital Media firm in London and also at Steria, a European listed company as a Member of India Operations Board. He spent his early career in M&A and Corporate Finance advisory at Ernst & Young and GE Capital in United States.

Kapil studied at London Business School and is also a qualified Chartered Accountant.

Sagar has over 23 years experience and has performed senior Finance and HR roles in various technology companies.

Before Volon, he worked as Head of Operations, India/Thailand at Scan-IT Pte. Ltd. (Subsidiary of ‘Scan-Group’, Danish Shipping and Logistics Company).

Sagar holds Diploma in Computer Science from Pune University.

Muslim has over 20 years of Information Security Experience with core focus on Cyber Threat Intelligence, Cyber Risk Management and Cyber security consulting.

Before Volon, he worked at FireEye Inc (US listed Cyber Security Firm) where he headed their Cyber Threat Intelligence Research team. Muslim also worked at iSIGHT Partners (later acquired by FireEye Inc) as one of the initial employees and set up their Cyber Threat Intelligence research team from scratch.

Previously, Muslim was based in Malaysia where he led the information security consulting practice for Network Security Solutions. Muslim is also credited with establishing national level CERT (and also a foreign) and consulting for various corporate CSIRTs.

Muslim holds Masters in Electronic and Communication from Devi Ahilya University.

Prabir has over 35 years of experience performing multiple operational, leadership, business development and sales profile in Government and Enterprise segments. He has more than 13 years of corporate experience, held multiple top-management positions including being on Board of Directors with exhibited Strategic & Sustainable business development traits, client acquisition skills & Sales achievements in domestic market. He comes from a versatile Military communication & IT background having served the Indian Army (Corps of Signals) for two decades before transiting to corporate sector.

Before taking up consulting assignment with VOLON, he led business development of Startup companies engaged in Info-Sec products, Software services and strategic sales in mid-sized IT system Integration Company in Delhi & NCR

Prabir is a full-time MBA from Faculty of Management Studies, Delhi University and also a B.Tech (Electronics & Communication) from JNU (MCTE).