Article by Director of Intelligence on Radware Threats, Pascal Geenens.
Internet of Things (IoT) search engines present both good solutions and serious risks of armed exploits: two VMware vCenter Server vulnerabilities identified earlier this year illustrate this.
vCenter enables organizations to automate and deliver virtual infrastructures on the hybrid cloud, and a vCenter hack allows threat actors to control the virtualization layer. This is a serious vulnerability for thousands of the largest organizations around the world.
The first vulnerability identified was a remote code execution (RCE) in the vCenter plug-in of the vSphere HTML5 client. A day after VMware released this vulnerability on February 23, there were already two exploits published. On May 11th, we saw a lot of scans performed by Necro Python Botnet, a cryptojacking malware.
The second vulnerability was disclosed by VMware on May 25 and involves an RCE in the vSAN Health Check plug-in, which is enabled by default in all vCenter deployments. As such, unless organizations deactivated the plugin, they were vulnerable. On June 1, we saw a rapid increase in scans following the disclosure of vulnerability details online that could lead to the militarization of the exploit.
Not all scans are bad. There are good players who continuously scan the internet at random to catalog vulnerabilities and assess danger. Some have turned these analytics activities into paid services, making it easy for companies to assess their exposed services and the surface of threats. But by exposing all the vulnerabilities of the Internet, evil individuals can also take advantage of them, easily and without investing in infrastructure or having in-depth technical knowledge.
Perhaps the three most well-known search engines are Censys, Shodan, and ZoomEye. Some of the features they offer include the ability for organizations to discover all of their internet-connected devices and view exposed devices so that they can be protected or disconnected.
But they’ve made it so easy to find unprotected IoT devices (by geolocation, port / OS, services / host, IP address, keyword search, etc.) that anyone – white hat, gray hat or black hat – can uncover vulnerable devices.
Consider the Deep Web, which is not indexed by search engines. Even if your IP address does not have a DNS entry, it will be registered somewhere. You might think that if you put a service there and only let certain people know about the IP address, it would be safe. But now these IoT search engines are scanning the world not only on HTTP ports, but also on SSH, SMTP and RDP. In the case of HTTP and HTTPS, they also get the response from the web page.
So, with vCenter, anyone looking for a server running an HTML5 vCenter client can search for a response that contains ID_VC_Welcome. Choose Censys for this request, and you will find approximately 30,000 HTTP hosts revealed. This doesn’t mean that all of those IP addresses are vulnerable because you haven’t researched a specific version yet.
However, one version is encoded, and if by searching for all devices running a specific web interface and firmware version, the database will provide the results. The exact answer is not always that simple, as the information may be a few days or weeks old. And sometimes it’s on a dynamic IP address, although most vCenter addresses are static.
Searching for the same channel on Shodan yields approximately 5,800 results. A sample output shows the vCenter server number and build number, which gives you enough information to know if it is vulnerable. And the SSL certificate will tell you what category of business it is.
Basically, threat actors can buy API access for a few dollars, write a script that goes to the API, search for ID_VC_Welcome, check the VMware version number, take the IP address, and perform an exploit to see if she is vulnerable. If so, they can drop a reverse shell or just mark it as open for future use or sale.
ZoomEye offers similar functionality to the other two IoT search engines. In my experience, I was able to search for vulnerabilities using an unregistered account for Censys and ZoomEye and a free account on Shodan. In the latter case, you need to register, but you don’t need a subscription and minimal personal information is required. In fact, I have provided more information just to download the cybersecurity reports!
It should be clear by now that providing access to this information requires the acceptance of evil with good. Anyone with a fully functional Python script can abuse it almost immediately, regardless of their expertise or infrastructure.
Enough of the examples show how to use IoT search engine APIs to take the IP address, put it into a proof of concept script downloaded from GitHub, and they get into the hacking race.
What can organizations do to protect themselves from the hacking risks created by legitimate IoT search engines? Here are five tips:
Tip 1: Just like the Red Team, take advantage of the tools used by attackers to find out if you are vulnerable. Visit the most popular IoT search engines for your IP subnet ranges and learn from this information.
Tip 2: Try to minimize your attack surface by exposing only the services you need. Do not think that a service or application that you are exposing is not useful to attackers; if it’s valuable enough for you to expose it, it’s valuable enough that attackers can target them.
Tip 3: Minimize the information you share through unauthenticated requests. Many services have the ability to configure the headers used in response to requests, remove the software name and release version details from the headers, and replace them with fake information. Don’t be afraid to consult the manual; this could save you a breach in the future!
Tip 4: If possible, do not allow unauthenticated requests on exposed services. If you need to and can’t change the information shared by the service, consider using reverse proxies, where you have more control over the information that is leaking.
Tip 5: Take advantage of robot management solutions, IP flows and network signatures to detect and block bot scans ahead of your services. Become a “ghost” on the Internet.