Our Exposed World – How Exposures Translate into Attacks

One of the questions I am asked often is why am I not more concerned about sophisticated attacks? Why do I not deeply investigate new exploits as they are released? To which I reply “because the old ones still cause more damage.” After 30 years of looking at the security of networks, the main trend I see can be summarized in a stanza from an old poem I used to read, “The Calf Path” by American poet Sam Foss.”

We have protocols and computer code that were created when dial up computers and the move Wargames was in the theatres that have been rolled into newer technology, that then was rolled into other technology, and never did we go back and look at how vulnerable these older protocols and code were because “we’ve always used them and nothing has happened so we must be safe.” 

Sound familiar? We also take technology and install it straight out of the box, not only leaving it insecure, but also without understanding how it might expose the other things around it. And the faster we have to move – because of lack of time, lack of resources, limited people – the more this is going to happen.

This brings me to my love of looking at our exposed world. The key fact most people miss is that exposed devices on the Internet means potential devices that can be used in attacks. If we are lucky, the devices are not like I have described above, they have been both secured and locked down so it takes developing an exploit or brute force hacking to use them in these attacks. Unfortunately, based on the research Trend Micro’s FTR team has done, we can see we are not that lucky. There are still hundreds of thousands of devices out on the internet that are vulnerable (which is to say, it’s known how to break into them) or have absolutely no security on them whatsoever.

My top 4 favorite example of these are the following:

So let’s talk about these a bit further.

WannaCry type attacks – attacks against Network Shares

In these types of attacks, the attacker is looking to move from network share to another network share in order to spread itself and do ransomware type attacks against the data it finds. What makes this attack worse is that there are many network shares that are exposed directly to the internet – in these cases the attacker doesn’t even need to get a foothold into the corporate network (either via a phish or download of some kind) first before committing their attack.  When last looked in May of 2017 there were 1.7M counts of SMB enabled devices (the protocol used to enable network shares) with exposed to Internet, with 24.9 percent of these in the US, 19.2 percent of these in the United Arab Emirates, and the rest distributed through the world.  Worse yet, there were approximate 40K (13 percent in the US, 11.4 percent Germany) with all forms of authentication disabled. That means anyone with those internet addresses can connect to those shares without a user name or password, no exploit even needed in order to commit that attack.

Data Breaches

Data exposed on the internet can come in a few different forms. The most obvious of these is Internet-facing databases. MySQL, ElasticSearch, PostgresSQL, MongoDB, SQL Service, and CouchDB systems can all be seen in Shodan. Any in just one of these database types, for just one country we could see over a terabyte of data exposed. Sadly the attackers know this too, and we can see many of the table names have been alerted to things like “Contact Me,” “Warning,” “PleaseRead,” or “Wehaveyourdata,” all suggesting many of these databases were subject to ransomware attacks known to have happened earlier this spring and new ones were on the rise earlier this fall.

Another instance of exposed data is illustrated in our example of exposed network drives. These drives are only vulnerable to Ransomware as discussed previously, but the data on those network drives are also wide open for anyone to view. Forget attackers breaching the data when it’s already open to the internet to read! I am sure some of that is by design, but the drive names one can see in the Shodan data suggests otherwise.

The third means that data can be exposed is via NAS devices that are sitting open on the internet. At the time of writing, there were over 52.4K NAS devices of a variety of kinds sitting outward facing to the internet, many of which had no authentication enabled for either SSH or FTP (a common means of accessing these devices).

Finally, it should be mentioned that any or all of these systems that either reside in Europe or contain information on a European citizen is soon to be subject to GDPR, whose fines for these types of exposures should more than given the average organization pause to reflect on how they are architecting their network.

Server Defacements and Hacking

The most depressing aspect of studying exposed systems for a threat analyst such as myself is to observe how many servers themselves have doors that are wide open with no authentication. This is akin to leaving the door unlocked and wide open so people can walk in. We’ve already used the example of exposed SMB but these again can also provide a pivot point into the rest of the corporate network when they are not only exposed to the internet, but also have internet network access at the same time. VNC is another older protocol used to create desktop and server connections, and the study found more than 3K of these on the internet with no authentication.

The breadth of the problem can be seen by just looking at router names and web server titles via Shodan. The number of web servers now with the http banner header “hacked by…” is heartbreaking. In all three of these areas, these kinds of attacks could be made significantly harder if organizations focused efforts on some of the basics, as illustrated here. Its been found that 80 percent of all attacks are because of something lacking in one of these Top10’s – can we make it that much harder for the attackers please?

DDoS Botnets and Booters

What’s worse than exposed systems being used to attack a victim through is when these systems and devices are used to attack others. Most attacks these days, malware or otherwise, are “bounced” off of somewhere else, and this is especially true when it comes to DDOS botnets and booters (e.g. Mirai and the like). In the case of DDoS, there are very specific old network protocols that attackers like to use as part of their attacks to “bounce” or reflect these attacks.

This is because these older protocols did not take into account security, and as such, they send back significantly more data than they receive, thus making them very efficient at flooding a system with input. Christian Rossow wrote an excellent paper on how specific protocols (SSDP, NTP, DNS, SNMP, netbios, Chargen, QOTD) can be used to amplify denial of services attacks into larger attacks. When you combine these figures in with some of the exposures for these same protocols via Shodan, you can see the situation in terms of denial of service can be significant worse than what we are currently seeing.