Censys-Identified Risks (Reference)

• Credential Theft: Obtaining user or client credentials through various methods.

• Credential Stuffing: Trying stolen credential combinations against services requiring authentication in order to gain access.

• Data Loss: Exposure or loss of internal, system-wide, or customer data.

• Information Leakage: Exposure of internal business or technical information to attackers doing reconnaissance.

• Malware and Ransomware: Any software designed to cause damage to an organization’s service(s). Ransomware is used to seize data or services and demand payment in order to get them back.

• Security Control Bypass: Weaknesses in security implementations that attackers can bypass easily to access sensitive information or systems.

• Service Interruption: An inability to provide an intended service because the application has been compromised or overwhelmed with requests.

• Social Engineering: Leveraging psychological knowledge to trick people into divulging confidential information or performing actions in a system that an attacker cannot do themselves.

• System Compromise: Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.

• AMQP (Categories: Information Leakage, Service Interruption) - Unencrypted AMQP services could be used to steal information or disrupt services.
• Bacnet (Categories: Information Leakage, Service Interruption) - Only newer versions of this building automation and control protocol have improved security measures. Most allow attackers to disrupt business services easily.

• CWMP (Categories: Data Loss, Service Interruption) - Unless TLS is enabled, this remote management protocol is vulnerable to man-in-the-middle attacks that allow attackers to steal sensitive information and disrupt services.

• DNP3 (Categories: Information Leakage, Service Interruption) - This vulnerable protocol allows attackers to run denial-of-service, man-in-the-middle, and time-manipulation, and alarm-suppression attacks.
• DNS (Categories: Information Leakage, Service Interruption) - DNS servers can be easily overwhelmed by requests, and are common targets of distributed denial of service (DDoS) attacks.
• Elasticsearch (Category: Data Loss) - Databases can hold sensitive data, which an attacker can freely access with stolen or brute-forced credentials.
• FOX (Categories: Information Leakage, Service Interruption) - The Niagara Fox protocol is unencrypted, which means that credentials can easily be intercepted by an attacker to gain access and disrupt services.

• FTP (Categories: Credential Theft, Credential Stuffing) - FTP is usually unencrypted, which means that credentials can easily be intercepted by an attacker. Most FTP servers also accept credential retries over and over.

• IMAP (Categories: Data Loss, Social Engineering) - This unencrypted protocol means credentials and sensitive data can be intercepted by attackers easily.
• IMAPS (Categories: Data Loss, Social Engineering) - Unless a modern TLS suite is enabled, this protocol is susceptible to man-in-the-middle attacks, that allow attackers to steal sensitive information, including credentials.
• Intel AMT (Categories: Malware and Ransomware, Credential Stuffing, Data Loss) - Attackers with stolen or brute-forced credentials have remote access to files and devices on the same network.
• IPMI (Categories: Information Leakage, Service Interruption)- IPMI allows control over servers at the operating system level, so attackers with stolen or brute-forced credentials gain almost complete control over infrastructure.
• IPP (Categories: Information Leakage, Service Interruption) - Unless enabled, IPP is not encrypted, so attackers with stolen or brute-forced credentials have remote access to devices on the same network.
• Kubernetes (Categories: Service Interruption) - This protocol enables control over infrastructure, something an attacker can use to take your services offline.
• Memcached (Category: Data Loss)- Databases can hold sensitive data, which an attacker can freely access with stolen or brute-forced credentials.
• Modbus (Categories: Information Leakage, Service Interruption) - Traffic sent via this protocol is unencrypted, allowing attackers to easily perform reconnaissance attacks on your network if this protocol is exposed.
• MongoDB (Category: Data Loss) - Databases can hold sensitive data, which an attacker can freely access with stolen or brute-forced credentials.
• MQTT (Categories: Information Leakage, Service Interruption) - Unencrypted MQTT services could be used to steal information or disrupt services.
• MSSQL (Category: Data Loss) - Databases can hold sensitive data, which an attacker can freely access with stolen or brute-forced credentials.
• MySQL (Category: Data Loss) - Databases can hold sensitive data, which an attacker can freely access with stolen or brute-forced credentials.
• NTP (Category: Service Interruption) - NTP servers are common targets of distributed denial of service (DDoS) attacks, and if misconfigured, may introduce vulnerabilities related to time synchronization.
• Oracle (Category: Data Loss) - Databases can hold sensitive data, which an attacker can freely access with stolen or brute-forced credentials.
• PCA (Categories: Credential Stuffing, Malware and Ransomware) - This remote administration software, which has several CVEs, would allow attackers to take over the computer with this connection exposed.
• POP3 (Categories: Data Loss, Social Engineering) - This unencrypted protocol means credentials and sensitive data can be intercepted by attackers easily.
• POP3S (Categories: Data Loss, Social Engineering) - Unless a modern TLS suite is enabled, this protocol is susceptible to man-in-the-middle attacks, that allow attackers to steal sensitive information, including credentials.
• Postgres - (Category: Data Loss) Databases can hold sensitive data, which an attacker can freely access with stolen or brute-forced credentials.
• Prometheus (Categories: Data Loss, Information Leakage, Service Interruption) - This protocol is designed to be used on trusted networks with trusted clients. Attackers with network access to Prometheus can run arbitrary SQL against its database.
• RDP (Categories: Credential Stuffing, Malware and Ransomware, Service Interruption) - This remote access protocol allows attackers with stolen or brute-forced credentials to control the server with this connection exposed.
• Redis (Category: Data Loss) -Databases can hold sensitive data, which an attacker can freely access with stolen or brute-forced credentials.
• S7 (Categories: Information Leakage, Service Interruption, Credential Theft) - Many Siemens SIMATIC product versions are vulnerable, allowing attackers to carry out denial-of-service attacks or steal credentials.
• SMB (Categories: Malware and Ransomware, Credential Stuffing, Data Loss) - Attackers with stolen or brute-forced credentials have remote access to files and devices on the same network.
• SMTP (Categories: Data Loss, Social Engineering) - This protocol is vulnerable to data theft, spam, phishing, malware, and denial-of-service attacks.
• SNMP (Categories: Information Leakage, Service Interruption) - This protocol is unencrypted and can be used by attackers to identify and control your devices.
• SSH (Categories: Credential Stuffing, Malware and Ransomware) - Most SSH servers accept credential retries over and over, giving attackers many chances to gain access to remote servers.

• Telnet (Categories: Credential Stuffing, Malware and Ransomware) - Telnet is usually not encrypted. Attackers can sniff credentials and other sensitive data sent over this protocol.

• VNC (Categories: Credential Stuffing, Malware and Ransomware) - Stolen or brute-forced VNC credentials allow attackers to take over the computer with this connection exposed.

Other Risks

Other risks that the Censys ASM platform identifies include:

Software

• End of life software (Categories: Malware and Ransomware, System Compromise) - Software versions that are no longer supported by their vendor and do not receive security patches.

Storage Buckets

• Exposed storage buckets (Categories: Credential Theft, Information Leakage) - Storage buckets with loose read, write, or accessibility settings that may unnecessarily expose data.

TLS

• Insecure TLS versions (Category: System Compromise) - Old TLS versions (v1.0, v1.1) that are not secure and may leave communications open to man-in-the-middle attacks.
• Insecure TLS cipher suites (Category: System Compromise) - Weak cipher suites that are not secure and may leave communications open to man-in-the-middle attacks.

Weak Login Pages

• Unencrypted login pages (Categories: Credential Theft, Security Control Bypass)- A service guarded by login without TLS encryption, leaving credentials available in plain text for theft.
• Login pages missing CSP (Category: Credential Theft, Malware and Ransomware, Security Control Bypass) - A service guarded by login that does not specify a Content Security Policy header, leaving this page open to attacks such as Cross Site Scripting (XSS).
• Weak auth pages (Category: Credential Theft, Malware and Ransomware, Security Control Bypass) - A service guarded by login that uses basic or digest authentication, leaving credentials available in plain text for theft.
• Unencrypted weak auth pages (Category: Credential Theft, Malware and Ransomware, Security Control Bypass) - A service guarded by login that uses basic or digest authentication without TLS encryption, leaving credentials available in plain text for theft.