Netenrich’s proprietary ASI provides critical authenticated service monitoring. Let’s understand the sheer severity of this issue before we get into how our platform addresses this issue. Over the last few years, MongoDB, Elasticsearch, and FTP have suffered devastating breaches due to the lack of authentication monitoring.
MongoDB got hit by a devastating ransomware attack in 2017, which ended up affecting over 28,000 databases. The attacker simply took advantage of the fact that many MongoDB servers have access to ports (27017 and 27018) open to the internet with no authentication enabled. This is what they did next:
- The hacker scanned the entire system to find an open port.
- Following that, they attempted to log into MongoDB.
- The hackers took control of the accounts, which required no administrative credentials.
Hackers tend to target AWS Elasticsearch services because it deals with a large volume of data. Users can quickly deploy and operate Elasticsearch without the management overhead. However, when left unprotected with publicly accessible domains, attackers can easily identify and expose Elastic search clusters with a search engine such as Shodan.
There are 35,000 Elasticsearch clusters open to attack, of which an estimated 4,600 have been compromised. These clusters include the personally identifiable information (PII) of more than 20 million Ecuadorian citizens, and over 20 million tax records belonging to Russian citizens.
Anonymous authentication is a significant FTP vulnerability that allows users to log in with a user name or anonymously. In 2017, the FBI discovered hackers actively targeting medical and dental facilities using FTP to gain access to protected health information.
The main problems with FTP anonymous authentication are as follows:
- A user’s login credentials (username and password) and the commands used unencrypted, visible, and vulnerable to access.
- Any data sent through FTP or hosted on an anonymous FTP server is vulnerable.
- Weak passwords or anonymous login vulnerability can be easily exploited to enter the FTP servers and upload malicious files into the system.
How Netenrich monitors authenticated services
With the rise in adoption of hybrid cloud infra, companies need to be doubly careful of the way they are doing their transition. Many companies are not aware of how this transition affects their authentication details. In fact, post-transition, more of these services tend to run on default or even no authentication.
Presently, Fortune 100 and 500 companies tend to opt for expensive and sporadic security audits to get to know about these holes in their system. However, there are no auditing services that provide an all-in-one, comprehensive security investigation, and report.
This is where Netenrich’s ASI comes in. Our always-on, 24*7 monitoring keeps an eye on services like Elasticsearch, FTP, and MongoDB and makes sure that you aren’t running on default or no authentication.
Authenticated services mainly fall underneath the following categories:
When our ASI detects these authentication inconsistencies, it immediately notifies our analysts to double-check the source of the problem. Netenrich analysts first make sure that this isn’t an instance of your company harmlessly sharing some public data. Then, if that isn’t the case, our platform will instantly notify you about the issue and provide your remediation recommendations.