AS_5/2017

CYBER SECURITY

tecnica

Automazione e Strumentazione

Giugno/Luglio 2017

basically works by indexing the response messages for dif-

ferent kinds of protocols for each public Internet address that

has been queried.

These research queries gived back results of

29.232 systems

Considering this perimeter as starting point, Lutech Team

performed a more in-depth analysis about ports, products

and versioning of the exposed services. Moreover, each host

found as ‘alive’ has been automatically categorized and enri-

ched with different kinds of information useful for further

next analysis.

Country

The 29.232 systems in scope have been categorized by

country:

Germany, with 4.017 systems,

is the country with

the major number of ICS/Scada/IoT systems reachable from

the Internet inside the Europe cyber perimeter, followed by

France and Italy with more than 3.000 IP addresses each.

United Kingdom, Netherland, Spain and Turkey follows with

about 2.000 systems exposed each.

Exposed Services

Lutech team, with his own capabilities, has been able to pro-

actively scan alive systems in scope, adding to the available

dataset useful information about top open ports, products and

versionings of the exposed services used by these systems and

freely reachable by anyone from the Internet.

As results,

79.749 exposed services (ports) and products

have been found.

Many of the 29.232 hosts in our perimeter expose different

services, which probably, in most of the cases, are not strictly

necessary for the scope of the system.

More in depth, about

80% of the 29.232 hosts expose a

webserver and 65% of those web servers are listening on

port 80 (HTTP) without any kind of ACL and without any

SSL protocol support

. There are also a lot of webservers

exposed on other similar and known ports, such as port 81, 82,

8080, 8081, etc.

Webservers that use HTTPS protocol (sometimes in combina-

tion with HTTP) are about the

27% of the total

Moreover, about

5.000 systems (17%) expose Telnet ser-

vice on port 23

, which puts at risk these hosts because of its

cleartext nature; another interesting note is that about

6.800

systems (23%) expose FTP service

over the Internet. Those

FTP services are analyzed in the next paragraph.

Products

Going deeply with the analysis of the exposed services of the

systems in scope, Lutech team analyzed top products and rela-

tive versionings used to serve the specific functionalities, in

order to better understand tecnhologies and to detect poten-

tially exploitable vulnerabilities.

About

93% of the total amount of webservers

found are

based on different kinds of

Unix technologies

, while

just 7%

of the webservers are based on

Microsoft technologies

13%

of services found alive

are directly attributable to

Scada/ICS products

, exposed over the Internet.

While

of total products are related to

network devices

Security Analysis

Basing on the presented dataset, Lutech Team performed rese-

arches and different kinds of security analysis and considera-

tions about the systems in scope. These analysis resulted in

finding many exposed systems, different known exposed vul-

nerabilities, many bad configurations and, also, systems surely

compromised and used for malicious purposes, for example to

send phishing emails or systems used as command & control

for malwares, etc.

In order to discover these security problems which expose

systems at high risks, Lutech team performed:

- Match with L-TMS/CTI private an public database of IOC

(Indicator of Compromise);

- Automatic and Manual analysis of systems with the help of

public and private tools and sandboxes;

- Analysis about open and anonymous exposed services;

- Match with known and public repository of vulnerabilities.

IOC Match

Lutech maintains an updated database of IOC (Indicator of

Compromise) with information gathered from many private

and public intelligence sources. Matching this database

with the previous described dataset of 29.232 systems in

scope has resulted in finding, in different ways and for dif-

ferent purposes,

268 systems that are known to be com-

promised

Figure 1 - Country Analysis