MONITORING AUTHENTICATED SERVICES

ASI

Netenrich’s proprietary ASI provides critical authenticated service monitoring. Let’s understand the sheer severity of this issue before we get into how our platform addresses this issue. Over the last few years, MongoDB, Elasticsearch, and FTP have suffered devastating breaches due to the lack of authentication monitoring.

MongoDB

MongoDB got hit by a devastating ransomware attack in 2017, which ended up affecting over 28,000 databases. The attacker simply took advantage of the fact that many MongoDB servers have access to ports (27017 and 27018) open to the internet with no authentication enabled. This is what they did next:

  • The hacker scanned the entire system to find an open port.
  • Following that, they attempted to log into MongoDB.
  • The hackers took control of the accounts, which required no administrative credentials.

Elasticsearch

Hackers tend to target AWS Elasticsearch services because it deals with a large volume of data. Users can quickly deploy and operate Elasticsearch without the management overhead. However, when left unprotected with publicly accessible domains, attackers can easily identify and expose Elastic search clusters with a search engine such as Shodan.

There are 35,000 Elasticsearch clusters open to attack, of which an estimated 4,600 have been compromised. These clusters include the personally identifiable information (PII) of more than 20 million Ecuadorian citizens, and over 20 million tax records belonging to Russian citizens.

FTP

Anonymous authentication is a significant FTP vulnerability that allows users to log in with a user name or anonymously. In 2017, the FBI discovered hackers actively targeting medical and dental facilities using FTP to gain access to protected health information. 

The main problems with FTP anonymous authentication are as follows:

  • A user’s login credentials (username and password) and the commands used unencrypted, visible, and vulnerable to access. 
  • Any data sent through FTP or hosted on an anonymous FTP server is vulnerable.
  • Weak passwords or anonymous login vulnerability can be easily exploited to enter the FTP servers and upload malicious files into the system.

How Netenrich monitors authenticated services

With the rise in adoption of hybrid cloud infra, companies need to be doubly careful of the way they are doing their transition. Many companies are not aware of how this transition affects their authentication details. In fact, post-transition, more of these services tend to run on default or even no authentication.

Presently, Fortune 100 and 500 companies tend to opt for expensive and sporadic security audits to get to know about these holes in their system. However, there are no auditing services that provide an all-in-one, comprehensive security investigation, and report.

This is where Netenrich’s ASI comes in. Our always-on, 24*7 monitoring keeps an eye on services like Elasticsearch, FTP, and MongoDB and makes sure that you aren’t running on default or no authentication.

Authenticated services mainly fall underneath the following categories:

Databases

Your MongoDB, Elasticsearch, CouchDB, Cassandra, and other services fall under this category. All of these are unauthenticated services by default and can be easily breached by a malicious entity. Netenrich’s ASI identifies these potential holes via banner grabbing. Banner grabbing enables us to receive the name and version of the different softwares involved. By cross-referencing the list, our expert analysts will be able to zero in on potential weak points and notify you instantly about the authentication status of the service in question.

Web Services

Jenkins and repository managers like Nexus and Artifactory are examples of web services. Our ASI detects any authentication-related anomaly here by running our regex ruled from the HTTP header response and response code of these web services. Our expert analysts regularly come across new use cases and patterns to detect a new type of web service that has no authentication involved.

Other Services

Our ASI monitors other critical services like FTP, SNMP, Network File System (NFS) share, etc., to detect instances of unauthenticated service as well. Both FTP and SNMP have default authentication settings. Some NFS share doesn’t even require authentication. In fact, unauthenticated NFS share with “write” permission capability can be catastrophic to your organization.

When our ASI detects these authentication inconsistencies, it immediately notifies our analysts to double-check the source of the problem. Netenrich analysts first make sure that this isn’t an instance of your company harmlessly sharing some public data. Then, if that isn’t the case, our platform will instantly notify you about the issue and provide your remediation recommendations.

WANT TO LEARN MORE?

Come. Be a part of our Attack Surface Intelligence (ASI) program.

TALK TO US

EXPLORE OTHER USE CASES

Fix Open Port Misconfigurations

Remediate Code Repository Exposure

Malware Traffic Analysis for Early Malware Detection