Securolytics
            Solutions Securolytics IoT Threat Defense Getting Started

            Getting Started

            About IoT Threat Defense


            What is the Mirai Botnet?
            1. Mirai is malware that compromises Linux devices, turning them into remotely-controlled "bots" that can be used as part of a distributed denial of service (DDoS) attack.
            2. Mirai primarily targets Internet of Things (IoT) devices, such as routers, DVRs and IP cameras. The Mirai botnet has been used in some of the largest known DDoS attacks. This includes the recent takedown of Dyn DNS services, which led to the disruption of major websites and services for millions of users around the world.
            3. A device is classified as vulnerable to Mirai when it can be remotely accessed using one of the default passwords in Mirai’s dictionary.

            Securolytics identified a vulnerable device on my network.  What can I do?
            If a vulnerability is found on your network, we will include a specific recommendation for actions to take.  The suggested action depends on the specific vulnerability found.


            What specific threats and vulnerabilities do you look for?
            The list of vulnerabilities we look for is constantly evolving as more threats emerge, but a few of the items include:
            1. Known default passwords
            2. Easily guessed passwords
            3. Open firewalls
            4. Open mail relays
            5. Open remote desktops
            6. Exploitable DNS servers
            7. SSL vulnerabilities 

            Why is scanning regularly important?
            1. Exploitable devices open backdoors into your network
            2. By 2018, two thirds of enterprises will experience an IoT security breach
            3. 1 hacked device = potential data breach and a reportable incident
            4. New devices are added to your networks all the time, not just by your staff.  Hackers will find vulnerable devices within minutes of their being exposed.  You need to find and resolve the issues before someone opens the backdoor into your network.



            IoT Threats & Vulnerabilities

            Exploit
            Description
            Recommended Action
            Port(s)
            Test
            Default Credentials
            Scans detected Default Credentials on an exposed device. Many IoT devices like IP cameras, dvrs and routers have hard-coded default credentials (usernames and passwords) that are exposed when those devices are connected to the internet.
            Remove the device from the network until the default credentials are changed. Remove default accounts if possible, and change default passwords

            23

            80

            8080

            21

            Telnet (23) or Http (80, 8080) or FTP (21) authorization successful with credentials from list of default credentials
            Open Firewall
            Scans detected a firewall management console accessible from a non-trusted public IP address. Firewall management consoles should only be accessible from inside the network or from trusted external IPs. Hackers search for firewalls where public management access (SSH or HTTPS) was left enabled.
            Change the firewall configuration to allow access to the management console only from within the network, or only from limited, trusted, external IP addresses.
             
             
            Open Mail Relay
            Scans detected a corporate mail server that accepts email for non-corporate domains. Hackers are consistently looking for mail servers that have not been properly configured, which allow them to blast out spam and viruses.
            Change SMTP server configuration to only accept email from company domains.
            25
             
            Open Remote Desktop
            Scans detected open remote desktop access (RDP or VNC) from public, non-trusted IP addresses. Remote desktop access should only be allowed from trusted external IPs. Hackers search for desktops publicly accessible and then attempt to login.
            Change remote desktop configuration or firewall configuration to allow access only from trusted IP addresses.

            5900

            3389

            Open port 5900 (VNC) or 3389 (RDP)
            Exposed LDAP Directory

            Scans detected open access to an LDAP directory. Companies open LDAP access to Active Directory when using cloud apps like Office 365, Google Apps and Citrix. Hackers look for these open connections and can use them to steal employee passwords.

            Change firewall configuration to allow access to Active Directory LDAP directories only from trusted IPs.

            389

            686

            Open port 389 (LDAP) or 686 (LDAPS)
            Non-Encrypted Database Connection
            Scans detected open access to non-encrypted database ports. Database access open to external IP addresses should be encrypted. Non-encrypted connections can allow hackers to view traffic going to and from your database, including database authentication credentials.
            Change firewall configuration to block access to non-encrypted database ports from external IP addresses.

            1433

            1521

            2483

            3306

            Open port 1433 (SQL Server), 1521/2483 (Oracle), 3306 (MySQL)
            Exploitable DNS Server
            Scans detected an open DNS server exposed to the internet. Corporate DNS servers are designed for machines on your internal network. An overlooked firewall rule can allow hackers to stage attacks using your DNS server.
            Change firewall configuration to only allow access to the internal network.
            53
            Open port 53, valid response to DNS query for www.cnn.com (dig @<ip_address> www.cnn.com+short)
            Anonymous FTP Server
            Scans detected and open anonymous FTP server. By default many FTP servers do not require a password.
            Change FTP server configuration to require user authentication and limit user permissions to only the required directories
            21
            Unauthenticated FTP access on port 21

            SSL Heartbleed

            Vulnerability

            Scans detected an active Heartbleed vulnerability in an SSL library. Patches for Heartbleed are available for most SSL libraries. Heartbleed, Poodle and DROWN are attacks that allow hackers to steal confidential information from a server running vulnerable SSL software.
            Patch the SSL library used for the HTTPS service.
            443
            Positive results from Nmap vulnerability scan on open port 443 (HTTPS)
            SSL Poodle Vulnerability
            Scans detected an active Poodle vulnerability in the SSL library. Patches for Poodle are available for most SSL libraries. Heartbleed, Poodle and DROWN are attacks that allow hackers to steal confidential information from a server running vulnerable SSL software.
            Patch the SSL library used for the HTTPS service.
            443
            Positive results from Nmap vulnerability scan on open port 443 (HTTPS)
            SSL DROWN Vulnerability
            Scans detected an active DROWN vulnerability in the SSL library. Patches for DROWN are available for most SSL libraries. Heartbleed, Poodle and DROWN are attacks that allow hackers to steal confidential information from a server running vulnerable SSL software.
            Patch the SSL library used for the HTTPS service.
            443
            Positive results from Nmap vulnerability scan on open port 443 (HTTPS)
            Expiring SSL Certificate
            Scans detected and expired SSL certification. SSL certificates expire after 1-3 years and most companies forget to install a new certificate on time. When a certificate expires, customers and employees can no longer use the affected systems.
            Renew the SSL certificate and place the new certificate on the affected server.
            443
            Check certificate expiration on open port 443 (HTTPS)
            Blacklisted IP
            Scans detected a blacklisted IP address. IP addresses can be blacklisted for a number of reasons, including if you recently acquired an IP address that was previously used for nefarious activity.
            Contact blacklisting service to have IP removed from list.
            80
            Check IP against reputation database

            Updated: 26 Feb 2019 06:09 AM
            Helpful?  
            Help us to make this article better
            0 0