The internet is a global village, not a metropolis

Written by: Szilárd Pfeiffer, Security Engineer & Evangelist, Balasys

Created: 2022-04-28

Think the internet is large enough to hide from criminals in the hope you won’t be the next victim of a cyber attack? Sadly, this is no longer the case. The internet is a global village, where everyone is your neighbor, and anyone can detect your mistakes and vulnerabilities.

The internet: where everybody is your neighbor

The internet is not as big as you might think. Until IPv6 arrives, there are fewer than 4 billion IPv4 addresses. In theory, it would be almost 4.3 billion addresses, but 600 million IPv4 addresses are reserved. In practice, there are approximately 3.7 billion public and routable IPv4 addresses. Finding vulnerable machines among this crowd of IP addresses might seem like looking for a needle in a haystack, but this is not true. With automated tools, anybody can systematically scan the internet for various vulnerabilities in public services.

This kind of mass scan requires fewer resources than you might think. Assuming that checking for a vulnerability takes a maximum of one second, in one month hackers need to check around 1,400 machines a second on average to find every single device on the internet that is exploitable for a particular vulnerability. If the available period is just a week or a day, you need to scan around 6,000 or 43,000 services a second, respectively. Sounds like relatively high numbers, but if you consider that even a huge country like China uses less than 8% and Russia uses less than 1% of the available IP addresses, you can see that focusing on smaller targets decreases the required resources to a tenth or a hundredth.

The numbers above demonstrate that it is theoretically possible to mass scan the entire internet. Effective free-to-use tools can be used to perform mass scans, converting this academic opportunity into practice. ZMap, Masscan, and others promise to scan the entire public IPv4 address space in some ten minutes or so on a typical desktop computer with a gigabit Ethernet connection. Researchers proved that the time needed to perform application-layer scans in some cases could be further reduced, meaning that mass scans will be able to discover any accidentally or willingly published application layer services in a short space of time.

Search engines for potential weaknesses

Hackers do not even have to perform mass scans themselves, as commercial services sell bulk data from their mass scans. It would still be challenging to inspect, cleanse, transform, and model the bulk data to discover necessary information, though companies such as Shodan or ZoomEye have already done the data analysis task for you. They also provide search engines to access their well-structured databases, which contain near real-time information about exploitable services worldwide. These databases can only be accessed for free with substantial limitations, but of course, you can pay a subscription fee to reduce these limitations. The entry-level subscription cost is just a few dollars per month, meaning that the information price for the exploitable services is not high. Together with the numerous free-of-charge tools, this creates dramatically low barriers to entry for self-appointed hackers.

Some can put the mentioned tools and services together and create a well-automated system, especially since they provideAPIs to access their database. As you can see, you do not have to be a nation-state actor to perform effective scans for vulnerable services on the internet. Criminal and hacktivist groups can also do it by using the mentioned services or creating and managing their systems – this is common practice. However, the situation is actually worse than that, as even a script kiddie could also find vulnerable services in their interest. The aforementioned search engines make it possible to filter the services by protocol, vendor, vulnerability, geolocation, etc. Someone with a low level of preparedness could cause harm to an organization by identifying targets with the mentioned tools using proof-of-concept implementations of the vulnerabilities. This can be true even if the author of the proof-of-concept implementation discloses it responsibly.

Operation technology is also under attack

Cyberattacks may use devices that are not strictly part of the IT infrastructure to achieve their goals. For instance, with Shodan, you can easily find webcams without any authentication or default username and password near or inside a targeted organization. A hacker can use unauthorized access to a webcam to observe the targeted site and create plans to circumvent the guards. Some hacking techniques depend on getting devices into the targeted organization or near it. For instance, installing an open Wi-Fi hotspot near the targeted network may cause devices of the targeted network to connect automatically to the malicious Wi-Fi hotspot. If this happens, a hacker can eavesdrop on any unencrypted traffic sent or received by the connected device to get usernames and passwords. Even if the data is encrypted, metadata can still be collected, such as the domain name of the visited sites. It also opens the possibility of an intrusion attempt that exploits vulnerabilities on the connected device. An open webcam increases the risk that someone might install a malicious device unnoticed, even if it is a guarded factory site far from overcrowded districts.

Some people might think that no part of the critical infrastructures or Industrial Control Systems (ICS) are ever connected directly to the internet without robust authentication. The reality is different. For instance, a necessary Shodan query result contains thousands of Schneider Electric devices, mainly from Spain, France, and the United States. The manufacturer provides digital solutions for the energy and automation sector. You can also find thousands of devices by searching for network protocols (e.g., Modbus, DNP, Fieldbus, PROFINET) used in SCADA or Industrial Control Systems. It is possible that published programmable logic controllers (PLC) do not lead to the most severe risk, as you can also find human-machine interfaces (HMI) published on the internet. These devices are usually accessible by the Remote Desktop Protocol (RDP) servers, which can have both configuration and implementation issues. For instance, they may use NTLM authentication that has weaknesses and vulnerabilities.

Zero Trust to the rescue

Under such circumstances, neither industry nor other areas should assume that cyberattacks still don't target them. Today, an organization does not have to be targeted by attackers directly. Automated tools systematically search the internet for vulnerable public services and attempt to exploit them immediately. If they are successful, the tools begin a lateral movement to spread themselves through the organization as extensively as possible and wait for the attackers' commands. At that point, we have already lost. The best advice to prevent such a situation is what the Zero Trust Security Model has been advising for decades and is now also followed by US governmental offices in line with President Biden's executive order:

  1. Handle everything equally as a resource, independently of whether it is part of information technology (IT) or operational technology (OT), as both have the same importance.
  2. Allow access to resources only after strict authentication independently from the resource accessible from the internet, as an intranet service can still be a target of an insider attack or malicious software brought to the intranet by a personal device (BYOD).
  3. Prohibit plain text communication and use only encrypted connections with robust encryption algorithms to avoid the first step of each attack, eavesdropping.
  4. Apply the least privilege principle during the authorization to minimize the risk that an infected device might cause on your network, as it is able to access everything that the device user is permitted to access.
  5. Apply these controls in a session-based manner to minimize the period between the revocation and the enforcement of an authorization level revocation.
  6. Continuously monitor your devices and network to prevent or notify of any suspicious behavior.

Photo by Robynne Hu on Unsplash