The mysterious EASM and where they live. Part 1. Who are you? / Hebrew
The full text of the study has been published here.
In today’s world, almost any organization has its own resource on the Internet, which can provide customers with various opportunities. The resource itself can be a small landing page with a price list and contact information, an online store, a portal or a forum.
With the increase in the number of such resources and the increase in computing power of computers, the number of cyber attacks is steadily increasing, as evidenced by some figures:
According to Google’s report, in more than half of the attacks on cloud systems brute force was used, and attackers exploited vulnerabilities in software in 36.7% of cases during attacks on cloud systems.
“Positive technologies” in the report for 2022 gives the following statistics: “The number of successful attacks directed at the web resources of organizations increased by 56%. If in 2021 the web resources of companies became objects of attacks in 17% of cases, then in 2022 the share of such incidents was 22%.”
The investigation of mass hacks of 1C-Bitrix company CyberOK showed that attackers can use known vulnerabilities for years to gain access to systems.
- 1 Methodology, expected results
- 2 1.1 Comparison of ASM by scan frequency
- 3 1.2 Comparison of ASM by the number of devices and network services detected by them
- 4 1.3 Categories of protocols
It is worth highlighting some reasons why attacks on resources that have direct access to the Internet become possible:
1. Incorrect configuration of network access and deficiencies in the configuration of programs
Some devices implementing server protocols must not have access to the Internet or must be accessible only through a VPN. Neglecting this principle can allow attackers, upon detection of such a device, to disrupt production, which will cause both reputational and financial losses.
This category includes public site pages that contain configuration information, admin panels, or API descriptions, access to which should be restricted.
According to Paloalto, in 2022, a quarter of the problems related to public resources were exposed RDP servers, 17% of which were with exposed admin login pages.
2. Outdated software
Updates for the various components that make up a web application often include fixes for vulnerabilities.
A vivid example can be the case in May 2023: a massive defacement of web resources that use CMS “1C-Bitrix: Site Management”. Mass hacks were carried out in advance, starting in 2022 due to known vulnerabilities (including CVE-2022-27228), and the targets of the attackers were all non-updated versions of “1C-Bitrix: Site Management”. A timely update of this software could prevent most of the resources from being compromised.
3. New vulnerabilities
Every month, experts discover new vulnerabilities in popular software that allow remote attackers to gain access to sensitive information.
With a large infrastructure in an organization, it can be difficult to manually monitor and control all software versions, new vulnerabilities and network configuration.
In order to simplify this task, services for managing the attack surface (Attack Surface Management, ASM-services) can be used. An attack surface, as defined by the US National Institute of Standards and Technology, is a collection of points at the boundary of a system, system elements, or environment that an attacker may attempt to access, affect, or extract data from.
ASM services provide the results of user requests in the form of IP addresses, domains associated with these addresses, information about open ports and running network services. Some ASM services analyze the software versions installed on the investigated host and provide information about potential vulnerabilities.
Methodology, expected results
The article presents the results of the analysis according to the specified criteria for comparing ASM services. The weak and strong points, capabilities, working principles and specifics of various ASMs are determined.
The focus of the study was on systems selected by geographic feature: the sample included representatives of the USA, Korea, Armenia, and China: Shodan, Censys, Criminal IP, Netlas, Hunter.how.
A number of criteria were used for comparison:
frequency of scanning;
the number of scanned ports, supported protocols and samples of network services;
the total number of detected devices and network services;
detection of configuration errors and vulnerabilities with the assigned CVE identifier (Common Vulnerabilities and Exposures);
The results of the research conducted by CyberOK experts can help decide on the choice of an ASM system to solve a particular task.
1.1 Comparison of ASM by scan frequency
Data relevance is the most important factor when using ASM systems. Timely updating of the results of scanning of nodes of companies that have access to the Internet helps to quickly identify and fix vulnerabilities and, as a result, reduce the probability of successful attacks on the infrastructure of this company. The relevance of data in ASM systems, in turn, is ensured by systematic scanning of the network.
Shodan scans the entire Internet at least once a week, but you can additionally use the API of this service to scan at any desired moment – detailed information about this is presented on the official website of the service.
To receive information about the frequency of service scanning Criminal IP nodes in different countries (Russia, USA, Germany) were analyzed. The update date of information for popular open ports (80, 443, 22, etc.) was considered.
Netlas has the ability to perform requests and receive scan results within the allocated time ranges. One time range corresponds to one period of network scanning, an example of the ranges can be seen on the screenshot of the service:
According to the official GITHUB repository of the service, Hunter.how scans all 65535 ports of the IPv4 space every day and updates the scan data of more than 40 million services with the same frequency.
Censys its service focuses on the tasks of global scanning of popular ports, scanning of cloud providers (such as Amazon, Google and Azure), global scanning of the least popular ports (3455 ports in the IPv4 space), and scanning of all ports in the IPv4 space at a low background speed. Detailed information about this is presented on the official website of the service.
Based on the obtained results, it can be concluded that the highest frequency of scanning of the entire Internet is carried out by ASM services Shodan and Hunter.how. However, other ASM systems have and can provide special capabilities and more specialized scan results.
1.2 Comparison of ASM by the number of devices and network services detected by them
Since when processing a user request, ASM systems do not scan the entire network, but only perform a search based on the saved results, an important characteristic is the number of detected network services and nodes during a regular scan of the entire Internet. Information on the number of network services is presented in Table 2. Table 3 presents information on the number of network services detected in the Russian Federation. Table 4 presents information on the number of nodes detected in the Russian Federation.
Importantly, in the context of this section, “network service” means an entry in the database (DB) containing the results of an ASM scan that can be found by a search query. Some ASMs share different entries in the database of network services, which are available under different URIs (sometimes even URLs), so the resulting values are completely uniform.
Analysis of the table shows that it is the leader in the number of detected network services in the world Hunter.howand by the number of nodes Censys. It is the leader in the number of network services and nodes found in the Russian Federation Hunter.how. Such a result suggests that the possibility of finding vulnerable nodes is higher when using this particular service.
1.3 Categories of protocols
Since the purpose of an ASM system is not only to detect a device on the network, but also to identify potential vulnerabilities, the important primary tasks are:
detection of open ports;
definition of network protocols;
definition of software (software).
To determine the software, ASM class systems send network requests, which can be conventionally divided into two types:
standard requests that correspond to the network protocol;
non-standard requests specific to certain software.
Due to the fact that different systems have different concepts under the term “protocol”, the terms used in this article should be defined:
Protocol sampling is a method of determining application level protocols of the OSI model (The Open Systems Interconnection model) by sending the corresponding standard network request.
Network service samples are a set of standard and non-standard network requests.
Since the number of open ports, samples of network services and supported protocols is a good comparative characteristic of ASM systems, information about these parameters was obtained for the analyzed systems. The results are presented in Table 5.
Based on the obtained result, it can be concluded that the largest number of detected ports is represented by the ASM system Censysand the largest number of samples of network services and protocols supported by the system Shodan.
A greater number of supported protocols makes the ASM system more flexible, allowing you to find more critical and less protected devices. PLCs (Programmable Logic Controllers) in ATS systems (Automated Technological Process Management Systems) are a clear example: these devices are designed to work in real time and due to the fact that speed and the ability to process large volumes of data are a priority for them, when developing firmware for them, protection mechanisms are given less attention. At the same time, a vulnerable PLC may have access to the Internet, allowing an attacker to exploit the vulnerability and disrupt the production process. Other examples of valuable finds for an attacker are motherboard management controllers or medical equipment.
See you soon in Part 2! Subscribe to our Habr so you don’t miss an update.
Author: Maksym Pushkin, specialist in CyberOK expertise development.
If you look events in Mykolaiv – https://city-afisha.com/afisha/