• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Security   »   Our Exposed World – How Exposures Translate into Attacks

Our Exposed World – How Exposures Translate into Attacks

  • Posted on:November 29, 2017
  • Posted in:Security, Vulnerabilities & Exploits
  • Posted by:
    Natasha Hellberg (Senior Threat Researcher)
0

One of the questions I am asked often is why am I not more concerned about sophisticated attacks? Why do I not deeply investigate new exploits as they are released? To which I reply “because the old ones still cause more damage.” After 30 years of looking at the security of networks, the main trend I see can be summarized in a stanza from an old poem I used to read, “The Calf Path” by American poet Sam Foss.”

A hundred thousand men were led
By one calf near three centuries dead;
They followed still his crooked way
And lost a hundred years a day;
For thus such reverence is lent
To well-established precedent.

We have protocols and computer code that were created when dial up computers and the move Wargames was in the theatres that have been rolled into newer technology, that then was rolled into other technology, and never did we go back and look at how vulnerable these older protocols and code were because “we’ve always used them and nothing has happened so we must be safe.” 

Sound familiar? We also take technology and install it straight out of the box, not only leaving it insecure, but also without understanding how it might expose the other things around it. And the faster we have to move – because of lack of time, lack of resources, limited people – the more this is going to happen.

This brings me to my love of looking at our exposed world. The key fact most people miss is that exposed devices on the Internet means potential devices that can be used in attacks. If we are lucky, the devices are not like I have described above, they have been both secured and locked down so it takes developing an exploit or brute force hacking to use them in these attacks. Unfortunately, based on the research Trend Micro’s FTR team has done, we can see we are not that lucky. There are still hundreds of thousands of devices out on the internet that are vulnerable (which is to say, it’s known how to break into them) or have absolutely no security on them whatsoever.

My top 4 favorite example of these are the following:

  • Ransomware / Wannacry-like attacks – attacks against network shares.
  • Data Exposures – forget breaches, this is where we do it to ourselves.
  • Device / Server Defacement – no hacking is needed if we leave the front door open.
  • DDoS Botnets and Booters – we are helping them make their networks bigger.

So let’s talk about these a bit further.

WannaCry type attacks – attacks against Network Shares

In these types of attacks, the attacker is looking to move from network share to another network share in order to spread itself and do ransomware type attacks against the data it finds. What makes this attack worse is that there are many network shares that are exposed directly to the internet – in these cases the attacker doesn’t even need to get a foothold into the corporate network (either via a phish or download of some kind) first before committing their attack.  When last looked in May of 2017 there were 1.7M counts of SMB enabled devices (the protocol used to enable network shares) with exposed to Internet, with 24.9 percent of these in the US, 19.2 percent of these in the United Arab Emirates, and the rest distributed through the world.  Worse yet, there were approximate 40K (13 percent in the US, 11.4 percent Germany) with all forms of authentication disabled. That means anyone with those internet addresses can connect to those shares without a user name or password, no exploit even needed in order to commit that attack.

Data Breaches

Data exposed on the internet can come in a few different forms. The most obvious of these is Internet-facing databases. MySQL, ElasticSearch, PostgresSQL, MongoDB, SQL Service, and CouchDB systems can all be seen in Shodan. Any in just one of these database types, for just one country we could see over a terabyte of data exposed. Sadly the attackers know this too, and we can see many of the table names have been alerted to things like “Contact Me,” “Warning,” “PleaseRead,” or “Wehaveyourdata,” all suggesting many of these databases were subject to ransomware attacks known to have happened earlier this spring and new ones were on the rise earlier this fall.

Another instance of exposed data is illustrated in our example of exposed network drives. These drives are only vulnerable to Ransomware as discussed previously, but the data on those network drives are also wide open for anyone to view. Forget attackers breaching the data when it’s already open to the internet to read! I am sure some of that is by design, but the drive names one can see in the Shodan data suggests otherwise.

The third means that data can be exposed is via NAS devices that are sitting open on the internet. At the time of writing, there were over 52.4K NAS devices of a variety of kinds sitting outward facing to the internet, many of which had no authentication enabled for either SSH or FTP (a common means of accessing these devices).

Finally, it should be mentioned that any or all of these systems that either reside in Europe or contain information on a European citizen is soon to be subject to GDPR, whose fines for these types of exposures should more than given the average organization pause to reflect on how they are architecting their network.

Server Defacements and Hacking

The most depressing aspect of studying exposed systems for a threat analyst such as myself is to observe how many servers themselves have doors that are wide open with no authentication. This is akin to leaving the door unlocked and wide open so people can walk in. We’ve already used the example of exposed SMB but these again can also provide a pivot point into the rest of the corporate network when they are not only exposed to the internet, but also have internet network access at the same time. VNC is another older protocol used to create desktop and server connections, and the study found more than 3K of these on the internet with no authentication.

The breadth of the problem can be seen by just looking at router names and web server titles via Shodan. The number of web servers now with the http banner header “hacked by…” is heartbreaking. In all three of these areas, these kinds of attacks could be made significantly harder if organizations focused efforts on some of the basics, as illustrated here. Its been found that 80 percent of all attacks are because of something lacking in one of these Top10’s – can we make it that much harder for the attackers please?

DDoS Botnets and Booters

What’s worse than exposed systems being used to attack a victim through is when these systems and devices are used to attack others. Most attacks these days, malware or otherwise, are “bounced” off of somewhere else, and this is especially true when it comes to DDOS botnets and booters (e.g. Mirai and the like). In the case of DDoS, there are very specific old network protocols that attackers like to use as part of their attacks to “bounce” or reflect these attacks.

This is because these older protocols did not take into account security, and as such, they send back significantly more data than they receive, thus making them very efficient at flooding a system with input. Christian Rossow wrote an excellent paper on how specific protocols (SSDP, NTP, DNS, SNMP, netbios, Chargen, QOTD) can be used to amplify denial of services attacks into larger attacks. When you combine these figures in with some of the exposures for these same protocols via Shodan, you can see the situation in terms of denial of service can be significant worse than what we are currently seeing.

 

If we do not take the time to adequately address Internet Hygiene, both organizationally and privately, we ourselves are making it easy for attackers to attack ourselves and others. Like any business model, the harder it is to take action and the lower the return, the less likely the attack will happen.

 

Related posts:

  1. Our Exposed World – Old exposures, new attacks
  2. Our Exposed World – Exposed Cities in Europe
  3. Bad Choices, Exposed Data
  4. Trend Micro at MWC: Securing Our Mobile, Connected World

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Offerings Are FedRAMP Authorized and Available on AWS
  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRN® Partner Program Guide
  • Smart Factory Cyber Attacks Knock Out Production for Days
  • Eliminate Hesitations: Security Simplified For Those Building In The Cloud
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.