Censys Search Release Notes
This page is the release notes for Censys Search from May 13, 2024 through July 15, 2024. Beginning July 24, 2024, all Censys release notes were moved to the Censys Community.
For Search release notes before May 13, 2024, reference our old release notes article.
July 15, 2024
Rapid Response
-
Vulnerability in Exim MTA could allow malicious email attachments past filters (CVE-2024-39929)
- The following queries can be leveraged to identify Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE.
- Censys Search query for potentially vulnerable exposures: services.software: (product="exim" and version: [* to 4.97.1])
- Censys ASM query for potentially vulnerable exposures: host.services.software: (product="exim" and version: [* to 4.97.1]) or web_entity.instances.software: (product="exim" and version: [* to 4.97.1])
- Censys ASM risk name query: risks.name="Vulnerable Exim Server [CVE-2024-39929]"
- The following queries can be leveraged to identify Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE.
July 8, 2024
Rapid Response
The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:
-
regreSSHion RCE vulnerability in OpenSSH Server (CVE 2024-6387)
- The following queries can be leveraged to identify all Censys-visible, public-facing OpenSSH instances.
- Censys Search query: services: (software.product: openssh and software.version: [8.5 to 9.8} and not ssh.endpoint_id.comment: {“Ubuntu-3ubuntu0.10”, “Ubuntu-1ubuntu3.6”, “Ubuntu-3ubuntu13.3”, “Debian-5+deb11u3”, “Debian-2+deb12u3”, “FreeBSD-20240701”})
- Censys ASM query: host.services.software: (product: “openssh” and version: [8.5 to 9.8})
- Censys ASM Risk query: risks.name=”Vulnerable OpenSSH [CVE-2024-6387]”
- The following queries can be leveraged to identify all Censys-visible, public-facing OpenSSH instances.
-
Polyfill.io supply chain attack
- Detection with Censys
- Censys Search query for exposed hosts referencing the malicious polyfill[.]io domain: services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`}
- Censys Search query for exposed hosts referencing one of the additional potentially associated domains: services.http.response.body: {`cdn.bootcdn.net`, `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`}
- Censys ASM query for exposed hosts referencing the malicious polyfill[.]io domain: host.services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`} or web_entity.instances.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`}
- Censys ASM query for exposed hosts referencing one of the additional potentially associated domains: host.services.http.response.body:{`cdn.bootcdn.net`, `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`} or web_entity.instances.http.response.body:{`cdn.bootcdn.net`, `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`}
- Detection with Censys
Fingerprints
Added the following fingerprints:
Type | Name | Category | Description | Censys Search Query |
software | NetSupportManager RAT | C2 | A NetSupportManager remote access trojan (RAT) server. | services.software:(vendor='NetSupportManager RAT' and product='NetSupportManager RAT') |
software | Poseidon C2 | C2 | A Poseidon C2 Server. | services.software:(vendor='Poseidon' and product='Poseidon') |
software | Rod Stealer C2 | C2 | A ROD Stealer C2 Server. | services.software:(vendor='ROD Stealer' and product='ROD Stealer') |
software | Saphira Botnet C2 | C2 | A Saphira Botnet Server. | services.software:(vendor='Saphira BotNet' and product='Saphira BotNet') |
software | XWiki | Open Source Software | XWiki is an open-source wiki software platform. | services.software:(vendor='XWiki' and product='XWiki') |
July 1, 2024
Search
Added the following fingerprints:
Type | Name | Category | Description | Censys Search Query |
software |
Elkor Web Management | Web Management Interface | A web-based management platform for managing online content and operations. | services.software:(vendor='elkor' and product='Elkor') |
software | MOVEit Transfer SFTP | Managed File Transfer | An SFTP client for the MOVEit managed file transfer service. | services.software:(vendor='progress' and product='Progress') |
Rapid Response
The Censys Rapid Response team published information about and queries for the following vulnerability:
-
Critical command injection vulnerability in EOL Zyxel NAS models exploited by botnet (CVE-2024-29973)
- The following query can be leveraged to identify all Censys-visible, public-facing Zyxel NAS326 and NAS542 instances. Note that Censys do not have visibility into firmware versions.
- Censys Search query: services.software: (vendor: “Zyxel” and product: {“NAS326”, “NAS542”})
- The following query can be leveraged to identify all Censys-visible, public-facing Zyxel NAS326 and NAS542 instances. Note that Censys do not have visibility into firmware versions.
June 24, 2024
Search
- Use relative time variables in Search queries to easily find and analyze items based on dynamic time periods that are relative to the current time. The following example queries illustrate how to use this functionality:
- Hosts updated in the past hour: last_updated_at: [now-1h TO *]
- Hosts with CVEs that have a KEV added in the past 6 months: cves.kev.date_added: [now-6M TO *]
- Certificates that were revoked in the past 8 hours: revocation.crl.revocation_time: [now-8h TO *]
Added the following fingerprints:
Type | Name | Category | Description | Censys Search Query |
software | Zyxel NAS326 | Network Device | Entry-level network attached storage device for home and small office use by Zyxel. | services.software:(vendor='Zyxel' and product='NAS326') |
software | Zyxel NAS542 | Network Device | Mid-range network attached storage device by Zyxel. | services.software:(vendor='Zyxel' and product='NAS542') |
software | ASUS Router | Network Device | Consumer-grade networking router for home and small office use by ASUS. | services.software:(vendor='ASUS') |
software | DoomedLoader C2 |
C2 |
Command-and-control server used by the DoomedLoader malware. | services.software:(vendor='DoomedLoader' and product='DoomedLoader') |
software | Kinsing C2 | C2 | Command-and-control server used by the Kinsing malware. | services.software:(vendor='Kinsing' and product='Kinsing') |
software | Pupy RAT C2 | C2 | Command-and-control server for Pupy, a remote access trojan. | services.software:(vendor='Pupy RAT' and product='Pupy RAT') |
software | Responder | Network Device | Network analysis tool used to monitor and respond to network name resolution requests. | services.software:(vendor='Responder' and product='Responder') |
Rapid Response
The Censys Rapid Response team published information about and queries for the following vulnerabilities:
-
Heap Overflow Vulnerabilities in VMWare vCenter Server (CVE-2024-37079 and CVE-2024-27080)
- Search exposure query for all Censys-visible vCenter HTTP interfaces: services: (software.vendor=`VMware` and software.product=`vCenter`)
- Search exposure query for all Censys-visible vCenter HTTP interfaces that also run DCE/RPC: services: (software.vendor=`VMware` and software.product=`vCenter`) and services.service_name=DCERPC
June 17, 2024
Search
Added the following fingerprints:
Rapid Response
-
Monitoring exploitation of PHP vulnerability CVE-2024-4577
- The Censys Rapid Response team has been tracking active exploitation of this vulnerability. The vulnerability has been rapidly weaponized by the TellYouThePass ransomware group to breach servers and encrypt files since around June 7, 2024. Censys has published a live dashboard tracking publicly exposed infected hosts.
- Search users can utilize the same queries provided in the June 10, 2024 release notes to investigate this issue.
- Search exposure query for all Censys-visible public-facing PHP instances running potentially vulnerable versions on Windows: services.software: (product: PHP and (version: [8.3.0 to 8.3.7] or version: [8.2.0 to 8.2.19] or version: [8.1.0 to 8.1.28] or version: [8.0.0 to 8.1.0] or version: [7.0.0 to 8.0.0] or version: [5.0.0 to 6.0.0])) and operating_system.product: Windows
June 10, 2024
Search
- Manage vulnerabilities and monitor your threat landscape with new searchable CVEs in host datasets.
- Censys CVE data in Search enriches host data with known CVE information (including CVSS, EPSS, and KEV data) for operating systems, software, and hardware.
- Threat hunting teams can leverage this data for proactive threat mitigation, compliance, reporting, and gaining greater visibility into the threat landscape.
- To learn more about this feature, please contact your Censys team representative.
- Added support for the following L7 protocols:
Rapid Response
The Censys Rapid Response team published information about and queries for the following vulnerabilities:
-
PHP-CGI argument injection vulnerability (CVE-2024-4577)
- Search exposure query for all Censys-visible public-facing PHP instances running potentially vulnerable versions on Windows: services.software: (product: PHP and (version: [8.3.0 to 8.3.7] or version: [8.2.0 to 8.2.19] or version: [8.1.0 to 8.1.28] or version: [8.0.0 to 8.1.0] or version: [7.0.0 to 8.0.0] or version: [5.0.0 to 6.0.0])) and operating_system.product: Windows
-
Authentication bypass vulnerability in Progress Telerik Report Server (CVE-2024-4358)
- Search exposure query for all Censys-visible, public-facing Telerik Report Server gateways: services.software.vendor:“Progress Software” and services.software.product:“Telerik Report Server”
June 3, 2024
Rapid Response
The Censys Rapid Response team published information about and queries for the following vulnerability:
-
Unauthenticated remote code execution in South Korean Telesquare Routers (CVE-2024-29269)
- Censys Search query to find exposed Telesquare instances: services.software: (vendor:”Telesquare” and product:”TLR-2005KSH”)
May 28, 2024
Search
- Added improved detection for web application firewalls.
- Use the following query for these services: services.labels="web-application-firewall"
Rapid Response
-
Active exploitation of NextGen Healthcare Mirth Connect platform
- Censys Search query for all exposed Mirth Connect instances: services.software.product=”Mirth Connect” and not services.labels={tarpit, honeypot, truncated}
- Note that this query does not pinpoint vulnerable instances and those leveraging this query will need to further investigate the software versions of Mirth Connect running on their machines.
- Censys Search query for all exposed Mirth Connect instances: services.software.product=”Mirth Connect” and not services.labels={tarpit, honeypot, truncated}
May 20, 2024
Search
- Released an update to our scanning process that will improve the detection of login pages. When our scanning infrastructure follows an HTTP redirect, it will no longer strip trailing slashes, resulting in more accurate detection of these types of resources.
- Added support for the following new L7 protocols:
May 13, 2024
Search
- Added support for identifying iSCSI (Internet Small Computer Systems Interface) services.
- Use this Search query to discover these services: services.service_name="ISCSI"
- Added improved detection for gaming-related services using the “gaming” service label.
- Example query using this label: services.labels="gaming"
- Added whois.network.(allocation_type|created|updated) fields.
- Example query for these fields: whois.network.allocation_type: "REALLOCATION"
- Added support for the following L7 protocols:
Rapid Response
The Censys Rapid Response team published information about and queries for the following vulnerabilities:
-
Three Cisco ASA and FTD vulnerabilities
- Censys Search query for exposed Cisco ASA devices: services.software.product=”Adaptive Security Appliance”
-
Four ArubaOS vulnerabilities
- Censys Search query for exposed ArubaOS devices: services.software: (vendor:"Aruba Networks" and product:"ArubaOS"
-
Tinyproxy use-after-free vulnerability
- Censys Search query for exposed Tinyproxy: services.software: (vendor="Tinyproxy Project" and product="Tinyproxy") and not labels=`tarpit`
Comments
0 comments
Please sign in to leave a comment.