In a world where privacy is a myth and cyberattacks are more common than ever. Protecting one’s digital assets requires planning, timely mitigation and effective execution. Therefore, it is paramount to consider one’s safety in the digital world. Maintaining a perfect inventory of every internet-exposed item has become an insurmountable issue with the rise of Cloud Computing and the mandate to work from home. This issue can be resolved simply by scanning possible vulnerabilities that could prove to be a grave threat for the organization via External Attack Surface.
Volon helps customers to proactively identify and protect their assets from being exposed knowingly or unknowingly, following are some of the common findings encountered in the most of the scans
1. Multiple unique public-facing assets were found to be exposed around well-known TCP services
Implication: An attacker uses this opportunity to exploit the vulnerability by providing crafted user input to the SSH or SFTP command- line interface (CLI) during SSH or SFTP login. This compromises the authentication and integrity of the asset. This can also further lead to providing root privilege access to the attackers.
RDP Exposure: Recently, Volon Research reported where a threat actor ‘utopdop’ advertised the Network access via RDP claiming to be of three unnamed American and one Malaysian company has a yearly revenue of $100 Million to $1 Billion
Citrix Exposure: Recently, Volon Research reported where a threat actor ‘Ahnenerbe’ advertised network access via Citrix to 3 unnamed companies based out of Italy and Spain, having yearly revenues between $40 million to $98 million
2. Websites found exposing Unencrypted Form/Login Page.
Implication: Multiple websites exposing unencrypted form/login pages implies that the communication channel between the organization and the end-user is not protected. Attackers can steal the data via MITM Attacks. This may lead to users giving out their sensitive data to the attackers.
Recently, Volon Threat Research performed an online engagement with an actor who operates by the handle ‘BOOK_1’ on the English language cyber-crime forum ‘Raid’. The engagement was performed on the basis of the actor’s post about selling the database claiming to be of an unnamed Taiwanese e-commerce company, containing the details of about 500K users. The stolen credentials of end-users were unencrypted.
Sample Screen Capture
3. Assets running possibly vulnerable software
Implication: Software Vulnerability may have three types of impact depending upon the mitigation techniques an organization uses:
- Privilege elevation- An attacker who exploits this vulnerability could get elevated privileges on a compromised system, potentially allowing them to delete data or take control of systems for malevolent purposes.
- Publication of information- An attacker who takes advantage of this flaw could gain access to sensitive information.
- Denial of Service – An attacker who takes advantage of this vulnerability could prohibit allowed access to computer resources or disrupt system operations.
4. Assets identified that had expired SSL Certificates and few of which are about to get expired
Implication: When a company’s certificate is expired or about to expire, the company may risk its encryptions and mutual authentication. As a result, both the website and the end user are highly prone to attacks. For instance, an attacker can easily create an identical website to lure the customers/end users into giving their data, this also damages the reputation of the brand.
5. Assets identified in multiple anti-spam or similar blacklists
Implication: An email blacklist is a repository of email addresses, IP Addresses, domain names and various other assets that are discovered for phishing and spam attacks. Perhaps, the most common reason why legitimate email users end up getting blacklisted is because their accounts get hacked to inflict spam attacks and phishing attacks. This compromises the brand value and disrupts the communication flow.
6. Web servers found to be exposing the default welcome page.
Implication: The “default web page” vulnerability can be used to identify inactive Web servers that are running on a host. Stopping the Web server frequently resolves a slew of other vulnerabilities related to the (unnecessary) Website. Default Pages often give out the version of the server being exposed therefore the organization becomes an easy target for the attacker. Since, attackers can simply use the vulnerability of the particular version to attack the organization that are easily available in the market.
This issue is caused by Server misconfiguration, which permits access to default pages when the server is not in use. Remote attackers will be able to get sensitive information that will aid in future assaults if the exploit is successful.
7. Assets relating to Database exposure.
Implication: The exposure of sensitive data occurs as a result of inadequately safeguarding a database where information is maintained. This could be due to a variety of factors such as faulty encryption, no encryption, software vulnerabilities, or when someone uploads data to the wrong database. Hackers seek out personally identifiable information and other data to steal money, compromise identities, etc. Data stolen is often sold in the Darkweb which further makes the user/organization more prone to future attack
It is imperative for organizations to understand and keep track of their exposed assets, as they serve as “Attack Surface” for threat actors to open a door into the greater infrastructure. Regular monitoring of ‘External Attack Surface’ provides the right combination of security measures and early detection of threats ensuring 360° coverage to a company’s assets and helping companies pivot their security mechanism by improving their overall security posture.
– Naveen Madhawan / Simran Kothari