The internet is a global village, not a metropolis

By Szilárd Pfeiffer, Security Engineer & Evangelist, Balasys

The internet: where everybody is your neighbor

Many people believe the internet is large enough to hide from criminals to ensure they aren’t victims of a cyberattack; however, this isn’t the case. The internet is a global village, where everyone is your neighbor, and anyone can detect your vulnerabilities and exploit them.

The internet is not as big as you might think. Until Internet Protocol version 6 arrives, there are fewer than 4 billion Internet Protocol version 4 addresses. In theory, it would be almost 4.3 billion addresses, but 600 million IPv4 addresses are reserved. In practice, there are approximately 3.7 billion public and routable IPv4 addresses. Finding vulnerable machines among this crowd of IP addresses might seem like looking for a needle in a haystack, but this is not true. With automated tools, anybody can systematically scan the internet for various vulnerabilities in public services.

This kind of mass scan requires fewer resources than you might think. If checking for a vulnerability takes a maximum of one second, in one month, hackers need to check around 1,400 machines a second to find every device on the internet exploitable for a particular vulnerability. If the available period is just a week or a day, you need to scan around 6,000 or 43,000 services a second, respectively. This may sound like an unattainable number, but if you consider that even a huge country like China uses less than 8% and Russia uses less than 1% of the available IP addresses, you can see that focusing on smaller targets decreases the required resources to a tenth or a hundredth.

The numbers above demonstrate that it is theoretically possible to mass scan the entire internet. Effective free tools can perform mass scans, converting this academic opportunity into practice. These tools promise to scan all public IPv4 addresses in roughly ten minutes on a typical desktop computer with a gigabit Ethernet connection. Researchers proved the time needed to perform application-layer scans in some cases could be further reduced, meaning that mass scans will be able to discover any accidentally or willingly published application layer services in a short space of time.

Search engines for potential weaknesses

Hackers do not even have to perform mass scans themselves, as commercial services sell bulk data from their scans. It would still be challenging to inspect, cleanse, transform and model the bulk data to discover necessary information, though some companies offer already completed data analysis. These organizations also allow search engines to access their well-structured databases, which contain near real-time information about exploitable services worldwide. These databases can be accessed for free with substantial limitations, or you can pay a fee to reduce these limitations. Entry-level subscriptions are just a few dollars per month, meaning that the information price for the exploitable services is not high. The numerous other free tools create dramatically low barriers to entry for self-appointed hackers.

Some use the mentioned tools and services to create a well-automated system, especially since they provide application programming interfaces (APIs) to access their database. As you can see, you do not have to be a nation-state actor to perform effective scans for vulnerable services on the internet. Criminal and hacktivist groups commonly use the mentioned services for creating and managing their systems. However, the situation is worse, as even a script kiddie could also find vulnerable services in their interest. These search engines make it possible to filter the services by protocol, vendor, vulnerability, geolocation, etc. Someone with a low level of preparedness could cause harm to an organization by identifying targets with the mentioned tools using proof-of-concept (POC) implementations of the vulnerabilities, even if the POC was disclosed responsibly.  

Operation technology is also under attack

Cyberattacks may use devices that are not strictly part of the IT infrastructure to achieve their goals. For instance, with some programs, you can easily find webcams without any authentication or default username and password near or inside a targeted organization. A hacker can use unauthorized access to a webcam to observe the targeted site and create plans to circumvent the guards. Some hacking techniques depend on getting devices into the targeted organization or near it. For instance, installing an open Wi-Fi hotspot near the targeted network may cause devices of the targeted network to connect automatically to the malicious hotspot. A hacker could then eavesdrop on any unencrypted traffic from the connected device to secure usernames and passwords. Even if the data is encrypted, metadata can still be collected, such as the domain name of the visited sites. It also opens the possibility of an intrusion attempt that exploits vulnerabilities on the connected device. An open webcam increases the risk that someone might install a malicious device unnoticed, even if it is a guarded factory site far from overcrowded districts.

Some might think that no part of the critical infrastructures or Industrial Control Systems (ICS) is ever connected directly to the internet without robust authentication. The reality is different. You can find thousands of devices by searching for network protocols used in supervisory control and data acquisition or ICS. It is possible that published programmable logic controllers do not lead to the most severe risk, as you can also find human-machine interfaces published on the internet. These devices are usually accessible by the Remote Desktop Protocol servers, which can have both configuration and implementation issues. For instance, they may use NTLM authentication that has weaknesses and vulnerabilities.

Zero Trust to the rescue

Under such circumstances, no one should assume that cyberattacks don’t target them. Today, an organization does not have to be targeted by attackers directly. Automated tools systematically search the internet for vulnerable public services and attempt to exploit them immediately. If they are successful, the tools begin a lateral movement to spread themselves through the organization as extensively as possible and wait for the attackers’ commands. At that point, we have already lost. The best advice to prevent such a situation is what the Zero Trust Security Model has been advising for decades and is now also followed by US governmental offices in line with President Biden’s executive order:

  1. Handle everything equally as a resource, independently of whether it is part of information technology (IT) or operational technology (OT), as both have the same importance.
  2. Allow access to resources only after strict authentication independently from the resource accessible from the internet, as an intranet service can still be a target of an insider attack or malicious software brought to it by a personal device.
  3. Prohibit plain text communication and use only encrypted connections with robust encryption algorithms to avoid the first step of each attack, eavesdropping.
  4. Apply the least privilege principle during the authorization to minimize the risk that an infected device might cause on your network, can access everything that the device user is permitted to access.
  5. Apply these controls in a session-based manner to minimize the period between the revocation and the enforcement of an authorization level revocation.
  6. Continuously monitor your devices and network to prevent or notify of any suspicious behavior.