Advisory: Why You Should (Still) Care About Inbound Network Scans

January 17, 2018

In the light of recent ransomware attack campaigns against Microsoft RDP servers, Cato Research assessed the risk network scanning poses to organizations. Although well researched, many organizations continue to be exposed to this attack technique. Here’s what you can (and should) do to protect your organization.

What is Network Scanning?

Network scanning is a process for identifying active hosts on a network. Different techniques may be used. In some cases, network scanners will use port scans and in other cases ping sweeps. Regardless, the goal is to identify active hosts and their services.

Network scanning is commonly associated with attackers but not every network scan indicates a threat. Some scanners are benign and are part of various research initiatives. The University of Pennsylvania, for example, uses network scanning in the study of global trends in protocol security.  However, while research projects will stop at scanning Internet IP-ranges for potentially open services, malicious actors will go further and attempt to hack or even gain root privilege on remote devices.

What’s Services Are Normally Targeted By Network Scanning?

While some scans target specific organizations, most scans over the Internet are searching for vulnerable services where hackers can execute code on the remote device.

Occasionally, after a new vulnerability in a service is publically introduced, a massive scan for this service will follow. Attackers may try to gain control of IoT devices or routers, control them using a bot that may be used later for DDoS attacks (such as the Mirai botnet) or even cryptocurrencies mining, which are very popular these days.

In addition, hackers may exploit known vectors in websites that serve many users, such as WordPress vulnerabilities. This can be used as a source for drive-by attacks to compromise end-user machines on a large scale

How Widespread Are Network Scanning Attacks?

We’ve seen that some organizations continue to expose services unnecessarily to the world. Those services are being scanned, which  exposes them to attack.

During a two-week period, Cato Research observed scans from thousands of scanners. More than 80% of the scanners originated from China, Latvia, Netherlands, Ukraine or the US (see figure 1).

Figure 1 – Top countries originating scans

When we look at the types of the scanned services, most scans targeted SQL, Microsoft RDP (Remote Desktop Protocol) and HTTP for different reasons (see figure 2). The large number of RDP scans is due to a variety of disclosed vulnerabilities in RDP, exploited by recent ransomware attack campaigns using password-guessing, brute force attacks on Microsoft RDP servers.

As for SQL Servers, it seems like the hunt for databases still exists. Servers running SQL tend to contain the most valuable information from the attacker’s perspective – personal details, phone numbers, and credit card information. This also applies to attacks on web servers, which may store valuable information such as personal information about web-site users, like their email addresses and passwords.

Figure 2 – HTTP, RDP, and SQL were the most scanned services

Recommendations

Organizations should protect themselves from scanning attacks with the following actions:

  1. Whenever possible, the organization should not expose servers to the Internet. They should only make them accessible via the WAN firewall to sites and mobile users connected to Cato Cloud.
  2. In case a server needs to be accessed from the public Internet, we recommend limiting access to specific IP addresses or ranges. This can be easily done by configuring Remote Port Forwarding in the Cato management console. When IP access rules are not enough, consider applying IPS geo-restriction rules to deny any access from “riskier” regions, such as accepting inbound connections from China, Latvia, Netherland or Ukraine.
  3. If none of the above could be set, we recommend using Cato IPS rules to help in blocking various attempts to attack the server.

Network scanning may be a well-known technique but that doesn’t diminish its effectiveness. Be sure to apply these recommendations to prevent attackers from using this technique to penetrate of your network.

 Read about top security websites

Elad Menahem

Elad Menahem

Elad Menahem is the Director of Security at Cato Networks. He served in an elite tech unit in the Israel Defense Forces (IDF) Intelligence Corps and has more than 16 years of cybersecurity expertise. Previously, he was an enterprise security research manager at Trusteer, which was acquired by IBM.