CYBER SECURITY
tecnica
Automazione e Strumentazione
Giugno/Luglio 2017
87
basically works by indexing the response messages for dif-
ferent kinds of protocols for each public Internet address that
has been queried.
These research queries gived back results of
29.232 systems
.
Considering this perimeter as starting point, Lutech Team
performed a more in-depth analysis about ports, products
and versioning of the exposed services. Moreover, each host
found as ‘alive’ has been automatically categorized and enri-
ched with different kinds of information useful for further
next analysis.
Country
The 29.232 systems in scope have been categorized by
country:
Germany, with 4.017 systems,
is the country with
the major number of ICS/Scada/IoT systems reachable from
the Internet inside the Europe cyber perimeter, followed by
France and Italy with more than 3.000 IP addresses each.
United Kingdom, Netherland, Spain and Turkey follows with
about 2.000 systems exposed each.
Exposed Services
Lutech team, with his own capabilities, has been able to pro-
actively scan alive systems in scope, adding to the available
dataset useful information about top open ports, products and
versionings of the exposed services used by these systems and
freely reachable by anyone from the Internet.
As results,
79.749 exposed services (ports) and products
have been found.
Many of the 29.232 hosts in our perimeter expose different
services, which probably, in most of the cases, are not strictly
necessary for the scope of the system.
More in depth, about
80% of the 29.232 hosts expose a
webserver and 65% of those web servers are listening on
port 80 (HTTP) without any kind of ACL and without any
SSL protocol support
. There are also a lot of webservers
exposed on other similar and known ports, such as port 81, 82,
8080, 8081, etc.
Webservers that use HTTPS protocol (sometimes in combina-
tion with HTTP) are about the
27% of the total
.
Moreover, about
5.000 systems (17%) expose Telnet ser-
vice on port 23
, which puts at risk these hosts because of its
cleartext nature; another interesting note is that about
6.800
systems (23%) expose FTP service
over the Internet. Those
FTP services are analyzed in the next paragraph.
Products
Going deeply with the analysis of the exposed services of the
systems in scope, Lutech team analyzed top products and rela-
tive versionings used to serve the specific functionalities, in
order to better understand tecnhologies and to detect poten-
tially exploitable vulnerabilities.
About
93% of the total amount of webservers
found are
based on different kinds of
Unix technologies
, while
just 7%
of the webservers are based on
Microsoft technologies
.
13%
of services found alive
are directly attributable to
Scada/ICS products
, exposed over the Internet.
While
5%
of total products are related to
network devices
.
Security Analysis
Basing on the presented dataset, Lutech Team performed rese-
arches and different kinds of security analysis and considera-
tions about the systems in scope. These analysis resulted in
finding many exposed systems, different known exposed vul-
nerabilities, many bad configurations and, also, systems surely
compromised and used for malicious purposes, for example to
send phishing emails or systems used as command & control
for malwares, etc.
In order to discover these security problems which expose
systems at high risks, Lutech team performed:
- Match with L-TMS/CTI private an public database of IOC
(Indicator of Compromise);
- Automatic and Manual analysis of systems with the help of
public and private tools and sandboxes;
- Analysis about open and anonymous exposed services;
- Match with known and public repository of vulnerabilities.
IOC Match
Lutech maintains an updated database of IOC (Indicator of
Compromise) with information gathered from many private
and public intelligence sources. Matching this database
with the previous described dataset of 29.232 systems in
scope has resulted in finding, in different ways and for dif-
ferent purposes,
268 systems that are known to be com-
promised
.
Figure 1 - Country Analysis