dinCloud Detects APT Attack – SHODAN ICS Survey

|||dinCloud Detects APT Attack – SHODAN ICS Survey

Last week, dinCloud’s advanced security detected traffic that triggered our internal alerts. Via dinCloud’s advanced security, which includes dedicated VPNs, dedicated firewalls, BGP routing, internal IPS and internet-flowing traffic inspection – dinCloud detected suspicious traffic emanating from dinCloud servers and HVDs (dinCloud inspects both inbound and outbound traffic).

dinCloud Detects Suspicious Traffic from an Outsider

On this particular day, Farhan Mirza, dinCloud’s director of field services, noticed that a single IP address was performing a large amount of scans on dinCloud hosted devices. The pattern wasreflective of a malicious scan. (See image #1)

Image #1 – dinCloud recognized that an external IP address was scanning dinCloud hosted resources

The dinCloud technician was able to recognize this via the automatic reports that are generated by dinCloud security tools. In this case, the tool was Threatsop, a product that dinCloud deploys to inspect all inbound and outbound traffic.

The dinCloud Security Staff took Action

The dinCloud security technician immediately began monitoring all traffic from this IP address. At the same time, generating an e-mail to the hosting party of the malicious “infected” server. (See Image #2)

SecureAuth security staff notified the "offending" service provider of the machine "attacking" dinCloud resources.

Image #2: SecureAuth security staff notified the “offending” service provider of the machine “attacking” dinCloud resources.

And it Turns Out…

It was not a malicious server but one of the “Good Guys”. In fact – it’s a real good guy.  It was from one of John Matherly’s servers, which was running the SHODAN search engine. The SHODAN project is the tool that surveys Industrial Control Systems (ICS) – to insure they are NOT vulnerable to terrorist attacks.

Matherly himself:

“The project is called Shodan and the data has already been actively used by various organizations around the world for free (the data is made available for free to academic/ non-profit institutions). Here’s an example of a researcher finding tens of thousands of critical infrastructure devices online, which were then reported to the regional CERTs before the research was published (http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/). There’s also an article in the Washington Post about me and Shodan that explains the project and how it’s been used a bit further: http://www.washingtonpost.com/investigations/cyber-search-engine-exposes-vulnerabilities/2012/06/03/gJQAIK9KCV_story.html

John Matherly program, SHODAN, helps identify vulnerable Industrial Control Systems (ICSes).

Image #3: John Matherly program, SHODAN, helps identify vulnerable Industrial Control Systems (ICSes).

Both SHODAN and dinCloud are Doing Their Jobs

In summary, just as John Matherly is doing his job by detecting insecure U.S. infrastructure, dinCloud is doing its job detecting suspicious traffic attempting to enter (and leave) dinCloud’s cloud.

Contact us – and we’ll give you a demo! All the best! Cloud on!

For more information on our Cloud security, please visit our Cloud Security page or request information to speak with a cloud specialist.

2018-10-10T14:54:21+00:00