Two VMware vCenter Server vulnerabilities identified earlier this year illustrate why Internet of Things (IoT) search engines present both good solutions for and serious risks of weaponized exploits.
vCenter lets organizations automate and deliver virtual infrastructures across the hybrid cloud. And because a hack of vCenter enables threat actors to control the virtualization layer, this is a serious vulnerability for thousands of the largest organizations around the globe.
The first vulnerability identified was a remote code execution (RCE) in the vSphere HTML5 client vCenter plug-in. A day after VMware published this vulnerability on February 23, there were already two published exploits. By May 11, we saw a great deal of scanning by Necro Python Botnet, a cryptojacking malware.
The second vulnerability was disclosed by VMware on May 25 and relates to an RCE in the vSAN Health Check Plugin, which is enabled by default in all vCenter deployments. As such, unless organizations disabled the plug-in, they were vulnerable. By June 1, we saw a rapid uptick in scans following the online disclosure of the vulnerability details that could lead to weaponization of the exploit.
Not all scans are nefarious. There are good actors that continuously scan the Internet randomly to catalog vulnerabilities and assess the danger. Some turned those scanning activities into paying services, allowing businesses to easily assess their exposed services and threat surface. But in laying wide open all the vulnerabilities on the Internet, nefarious individuals can profit from them as well, easily and without investing in infrastructure or having in-depth technical knowledge.
Perhaps the three best known of these search engines are Censys, Shodan, and ZoomEye. Among the capabilities they offer are the ability for organizations to discover all their Internet-connected devices and view exposed devices so that they can be protected or disconnected.
But they've made it so easy to search for unprotected IoT devices (by geolocation, port/operating system, services/host, IP address, keyword search, etc.) that anyone — white hat, gray hat, or black hat — can uncover vulnerable devices.
Consider the Deep Web, which is not indexed by search engines. Even if your IP address doesn't have a DNS entry, it will be registered somewhere. You might think that if you put a service out there and notify only select people of the IP address, it would be safe. But now, these IoT search engines scan the world not just on HTTP ports, but also SSH, SMTP, and RDP. In the case of HTTP and HTTPS, they also grab the response of the webpage.
So with vCenter, if you were looking for a server running a vCenter HTML5 client, you would look for a response that contained ID_VC_Welcome. When you use Censys for that query, you'll find about 30,000 HTTP hosts revealed. That doesn't mean that all of those IP addresses are vulnerable because you haven't searched for a specific version yet. However, a version is encoded, and if you search for all devices running a specific Web interface and firmware version, the database will provide the results. The exact answer isn't always that simple, since information may be a few days or weeks old. And sometimes it's on a dynamic IP address, though most vCenter addresses are static.
Doing a search of the same string on Shodan gives you about 5,800 results. A sample result shows the vCenter server number and build number, which gives you enough information to know if it's vulnerable. And the SSL certificate will tell you which category of company it is.
Basically, threat actors can purchase access to APIs for a few dollars, write a script that goes to the API, search for ID_VC_Welcome, check the version number of VMware, take the IP, and perform an exploit to see if it's vulnerable. If so, they can drop a reverse shell or just flag it as being open for future use or sale.
ZoomEye provides similar capabilities to the other two IoT search engines. In my experiment, I was able to search for vulnerabilities using an unregistered account for Censys and ZoomEye and a free-tier account on Shodan. In the latter case, you need to register, but you don't need a subscription, and minimal personal information is required. In fact, I have provided more information just to download cybersecurity reports!
It should be clear now that providing access to this information requires that you accept the bad with the good. Anyone out there with a fully functioning Python script can abuse it almost immediately, regardless of their expertise or infrastructure. There are enough examples out there that show how to use the APIs of IoT search engines to take the IP address, feed it into a proof of concept script downloaded from GitHub, and they're off to the races hacking.
What can an organization do to protect themselves from the hacking risks created by legitimate IoT search engines? Here are five tips:
Tip 1: Much like red teaming, leverage the tools attackers use to find out if you're vulnerable. Check the best known IoT search engines for your IP subnet ranges and learn from this information.
Tip 2: Try to minimize your attack surface by only exposing the services you need. Don't think a service or application you are exposing is not valuable to attackers; if it's valuable enough for you to expose, it's valuable enough for attackers to target it.
Tip 3: Minimize the information you're sharing through unauthenticated requests. Many services have the ability to configure the headers that are used in responses to requests, remove the software name, and release version details from the headers and replace them with fake information. Don't be afraid to consult the manual; it might save you from a breach in the future!
Tip 4: When possible, don't allow unauthenticated requests on exposed services. If you need to, and can't change information shared by the service, consider using reverse proxies, where you have more control of which information is leaking.
Tip 5: Leverage bot management solutions, IP feeds, and network signatures to detect and block scans from robots upstream from your services. Become a "ghost" on the Internet.