Table of Contents Table of Contents
Previous Page  88 / 100 Next Page
Information
Show Menu
Previous Page 88 / 100 Next Page
Page Background

CYBER SECURITY

tecnica

88

Giugno/Luglio 2017

Automazione e Strumentazione

About

27% of these 268 compromised systems result still

active

and, for each system, we are also able to understand the

threat category:

About 45% of the 268 systems

found have been used as

scan-

ning hosts

from attackers with the intent of finding vulnerabili-

ties over the Internet. About

10% of systems

have been tracked

as

zombies or infected hosts

and about

5% of systems

have

been tracked as command and control centers. There are also

few evidences of compromised servers used for DDoS attacks.

Private Sandbox and Custom Analysis

Lutech team also performed specific analysis with private

sandboxes and tools, in order to find other relevant eviden-

ces. These analyses gave back to us

81 evidences of possible

compromises

.

After specific analysis, Lutech team found clear evidences

of system compromises. As an example, there is the case

of a system used for malicious purposes, which exposes a

webserver (over HTTP protocol) with the web admin panel

of a Solar-Log infrastructure (a remote Residential Solar PV

Monitoring & Metering system).

This system

has resulted to be compromised and used

as a mail server

by an attacker, which sent phishing (and

malware) emails in a specific Ransomware campaign: the

email found, sent from this system to many victims on

November 23rd 2016, and contains an attached file called

IMG-69899276-XXXXXX.zip

’.

Basing on a sandbox analysis, this file is

flagged as a Ran-

somware from just 14 of 54 antivirus companies

.

Anonymous exposed Services

Always considering the starting perimeter of 29.232 systems,

Lutech team performed an analysis about 3 categories of ser-

vices: FTP, SMTP and VNC.

Anonymous FTP services

Basing on 6.879 hosts that expose TCP Port 21 (FTP)

over

the Internet, Lutech team found that

314 hosts allow ano-

nymous access to the FTPs

, allowing the listing of files and

folders, in some cases also with writing

permissions.

There are also several evidences of

actual and complete compromissions of

some of these servers, considering that

webshells and malicious files have been

found uploaded in the root directories

.

Moreover, there are concrete evidences

that some systems were used as command

and control of botnets.

Open Relay SMTP servers

Basing on 1.438 hosts that expose TCP

Port 25 (SMTP)

over the Internet, Lutech

team found

that 22 hosts can be used as

open SMTP relay servers

by an attacker

in order to send phishing and spam emails

anonymously.

Open VNC services

Basing on 802 hosts that expose TCP Port 5900 (VNC)

over

the Internet, Lutech team found that

8 hosts allow anonymous

access to the VNC server

, which basically allows any atta-

cker to have the

complete control of a system without any

kind of authentication.

Known Vulnerabilities

A more in-depth analysis about exposed services gives us

a fearful perspective about the state of the security of the

systems in our perimeter of analysis. In fact, considering the

starting perimeter of 29.232 hosts, Lutech team discovered

that 7.089 of them expose at least one known vulnerability

that could be exploited, by anyone, from the Internet.

Webservers are the most targeted products by vulnerabilities

and malicious threats,

with about 70% of the total vulnera-

bilities found

. It is important to underscore that, quite often,

risks related to these kinds of vulnerabilities could be easily

Figure 3 - IOC Status

Figure 2 – IOC Match

1 83 84 85 86 87 88 89 90 91 92 93 94 100  FlippingBook