Posted November 28, 2018
Threat actors are continuously looking for the easiest way into your network. Whether access is gained by social engineering your office assistant for his or her network credentials or by taking advantage of unpatched vulnerabilities, the less time and effort the bad guys have to put in, the bigger the return on investment.
How does mass scanning play into this? Mass scanning can reveal vulnerabilities in any internet-connected device: this includes IoT devices, personal computers and mobile devices, as well as critical infrastructure and even industrial control systems. Connected devices can be exploited at scale and cause havoc, as exhibited by the Mirai botnet and the 590,000 residential routers compromised by Russian Advanced Persistent Threat 28 (APT28, aka Fancy Bear).
A single scan can pinpoint vulnerable devices that can be exploited with malicious tools. The infected device can then be leveraged to scan for and exploit vulnerabilities on other devices on the network. The technique can also identify if there are any open ports or misconfigured certs on your network or on the networks of your third parties. This is important because overlooking these types of vulnerabilities is like leaving your doors open – you are essentially inviting criminals to enter.
Continuing with the house analogy, conducting a mass scan is the equivalent of checking the door to see if it is unlocked and if anyone is home. Now, imagine that every home has 65,536 doors, each of which serves a particular purpose. These doors represent the ports that can be available for each Internet Protocol (IP) address. Each port is used for a specific purpose or by a specific program. For example, port 80 is used for HTTP traffic (unencrypted Internet browsing), and port 25 is used for outgoing emails. A port scan is sending a message to the IP address on a specific port (checking a specific door); if the machine using the destination IP has that port “open” (if the person responsible for that particular door is home and answers), it will send an acknowledgement message back. If the port is “closed” (the person is not home and no one answers), no response is given. Because every device that is directly connected to the Internet must have an IP address, and the number of IP addresses is finite, a specialized software, or a script, can send data packets to each and every IP address (homes checked) and record the answers (doors answered), or lack thereof, as they are received. This would be the equivelant of a door-to-door survey. There are three main types of scans:
- Horizontal: Horizontal scans describe scanning the entire IP space on the same port. For example, one can horizontally scan the Internet on port 80 to see which computers/devices allow unencrypted Internet browsing traffic.
- Vertical: Vertical scans are when every port is scanned on a single machine.
- Block: Block scans can send multiple messages on various ports to different IP addresses. The most complete block scan would scan all the IP space on the entire range of ports.
Scanning the entire Internet sounds like a challenging and resource-intensive task, but, in fact, publicly-available tools, scripts, and services can scan all 3.7 billion IPs in minutes. And actors, both good and bad, are actually doing it.
Don’t Leave Your Ports & Certs Unattended
While academic and security researchers, commercial companies, and malicious actors all mass scan the Internet for different purposes, malicious actors use this technique for more nefarious reasons. Port scanning is one of the first steps of active reconnaissance a threat actor performs before attacking a system. This scanning allows the actor to identify which ports are publicly accessible, what services are running on available ports, if the services are secured, and which are vulnerable. When the attacker identifies a vulnerable service, the port is then used to exploit the vulnerability and gain access to the system. Threat actors will always take the low hanging fruit (an exposed port or vulnerable service) where available.
Older devices that are running outdated and vulnerable software abound. Those devices can be exploited and remotely controlled to extract valuable information or used to infect other vulnerable devices and conduct disruptive operations. Today, malicious actors can weaponize security vulnerabilities within 24 hours of their disclosure. Once weaponized, actors can look for and exploit vulnerabilities immediately after they are disclosed, giving network defenders and system owners very little time to patch and secure their systems. Internet of Things (IoT) devices are even more vulnerable and can be exploited within minutes of being connected to the Internet.
What Your Organization Can Do
For end users and network defenders, blocking unwanted Internet traffic on unnecessary ports and ensuring security updates are promptly and/or automatically installed are generally effective against most malicious activities associated with mass Internet scans. To protect their internal networks from scanning activities, most corporations use hardware solutions that act as a central gateway that routes all traffic in and out of the network and blocks scanning attempts on unused ports. Advanced network defense solutions, such as LookingGlass’ IRD-100™, can be programmed to ingest relevant and vetted data instantly detecting and mitigating scanning activity on vulnerable or unsecure ports, including high-risk traffic from your third party vendors and supply chain. Organizations can also invest in a technology that provides situational awareness of the cyber landscape so you can pinpoint where you have vulnerabilities on your or your third party networks, such as open ports and misconfigured certs.