Allow me to introduce myself, my name is Dvir Sasson and I am a penetration tester (white hat hacker) and a consultant for CyberInt's clients. I've always been curious about learning new things and searching for loopholes, this has been my life's passion. This curiosity and passion inspires me on a day to day basis to learn about new vulnerabilities, exploits, and tech. It also allows me to become a better pen tester.
During one of my last “fishing” expeditions, I decided to take a look at how compromised computers are being utilized by Shodan. Specifically, for parameters that don’t need authentication. And to my surprise, I discovered 4,500 servers with no authentication with complete remote-control access of virtual machines! Wait, stop, let me take you a step back and give you a moment to process it all.
Cement Factory Control Panel
How did I discover this?
Like I said I'm pretty curious, and I decided to check out how many insecure computers were actually out there in the open. I logged into my trusty Shodan.io. search engine which is the mother of all search engines for internet-connected things. Shodan collects internet webcams and open-port sources, as well as, other computers and machines onto a one-page format. The search began with seeking open VNC remote desktop services that didn’t require authentication. An Open VNC is an open source remote app that allows teams or individuals to share their machines to be remotely accessed using the VNC protocol. It's very easy to use, maybe even too easy.
Choosing to use an unauthenticated open VNC connection, is like giving an open invitation to hackers, saying "please hack me". A crazier and even scarier notion is that these screenshots can be mapped by geo-location. Mapping by geo-location allows an attacker to build a "botnet" based on computers from a certain country. Botnets differ by country because of the bandwidth quality, computing power, etc.
Here are some examples of what I found:
User's Personal Email
Power Generator Summary Screen
Pump Control Panel
Engine Control Panel
These are just the tip of the iceberg (remember, there were 4,500 servers exposed). Our findings ranged from boats to cash registers, traffic light systems and more, all by accessing Shodan.
What can be done with these accessible devices?
For example, hackers can scan networks for these type of devices (cameras, DVR's), exploiting default credentials and using them in future attacks (such as DDoS). Default credentials appear on devices where their owners didn't change them. Mostly in devices coming from "sticker" manufacturers or devices using similar hardware and software. Instead of buying a device which is more updated and using a secured firmware. A lot of customers try to save the extra buck and end up compromising on a device that uses poor software.
How is this possible?
The attacker uses bots to simultaneously send requests, via multiple vectors and protocols, to the service provider. For example, the "http\s" server runs on ports 80 and 443. The Botnet will then try to access "random" ports that could be used to ping, ssh, ftp, etc. These devices are great for DDoS, as they have network capabilities as well as full remote-control capabilities, but their owners don’t even know they have been exploited. Incidentally, just yesterday security cameras manufactured by a company called Axis, has been verified to be remotely controlled by a malicious attacker using a software vulnerability.
What we know for sure is that devices are being sold online in places such as Alibaba and Ali Express. These devices connect to internet sensors, DVR's, IP cams, and streamers. They receive the same software and configuration and possess default credentials.
This is a huge issue of misconfiguration and usage of invalid software. The question is what do you do with this information?
The Action Plan
The simple and short answer is that we recommend not to use open VNC as an open solution. It should not be used as a remote access program in businesses or Critical Infrastructure. There are a lot of secured remote services. If needed, use Open VNC configure it properly with user authentication and deny it access from the WAN.
However, if you have to, we suggest using it as a configuration tool with the strictest authentications and restrictions possible. You need to bind it to an internal interface, inside the circle of the organization. The main downfall is that while it is relatively easy to secure a connected device, many device owners fail to do so. Organizations that possess critical infrastructure sectors, must always run on the assumption that they have already been compromised, and take steps to both detect and defend against threat actors.
In order to protect your organization, the best course of action is to act preventatively and take action accordingly. As an organization, it is essential to fortify yourself by entrusting in a trusted vendor. This is where patching comes into play, as well as changing your default settings. It is also necessary to use red teaming or automated systems like our own Cyberscore to find these open ports (not for 3rd party vendors but rather your own infrastructure). It is important not to be left vulnerable by the vendors your work with. CyberInt's Cyberscore runs continuous, non-intrusive scans of your assets as well as those of your vendors, in order to uncover weaknesses in your overall security posture. This platform will allow you to uncover cyber security flaws that may pose a risk for your own assets and private data.
Uncover your potential risks today, and find out what actions can be taken to protect your digital assets.
If you would like to receive your Cyberscore assessment today click here.