CHECK POINT THREAT ALERT: SHODAN
ByCheck Point Research Team
EXECUTIVE SUMMARY
- Shodan (https://www.shodan.io/) is a search engine that uses a variety of filters to find devices, such as computers, routers, and servers, which are connected to the Internet.
- Shodan collects data mostly on web servers (HTTP port 80), but there is also data about FTP (21), SSH (22), Telnet (23), SNMP (161) and SIP (5060) services.
- Shodan is often dubbed as “Google for hackers”, as it exposes vulnerable devices.
DESCRIPTION
- Shodan is a scanner which can find systems connected to the Internet, including traffic lights, security cameras, home heating systems and baby monitors, as well as SCADA system such as gas stations, water plants, power grids and nuclear power plants. Many of these systems have a number of vulnerabilities and very little security in place.
- Shodan can identify the physical location of any Internet-connected equipment, as well as its IP address, and often even what type of software it’s running.. This provides sufficient information for hackers to carry out targeted attacks.
- A massive data hack in the UK, attributed to Shodan scans, exposed sensitive data including family photographs, medical records and bank statements. This was due to security flaws in Iomega hard drives which were used to back up personal and business data.
CHECK POINT IPS PROTECTIONS
- Shodan “crawls” the Internet for publicly accessible devices, looking for specific IP addresses and hosts (see Appendix).
- Blocking these IP addresses is not enough, as similar scanners are used by hackers seeking other IPs.
- To fill these gaps, Check Point provides the following IPS protections:
- Shodan.io Internet Of Things Portal
- Shodan Scanner ISAKMP Request
- Shodan Scanner SIP Request
Shodan Scanner BACNET Request - Shodan Scanner GTP Request
- Shodan Scanner ENIP Request
These protections search for specific patterns in the SYN request that characterize Shodan and similar scanners.
REFERENCES
- Shodan: https://en.wikipedia.org/wiki/Shodan_(website)
- Shodan in the news:
- http://www.dailymail.co.uk/news/article-3207396/Thousands-exposed-massive-new-data-hack-s-not-just-adulterers-outed-web-PC-hard-drive-risk-Google-hackers.html
- http://www.computerworld.com/article/3016072/security/13-million-mackeeper-users-exposed-by-shodan-search-no-password-or-hacking-required.html
APPENDIX – SHODAN HOST NAMES AND IP ADDRESSES
IP Host Name
93.120.27.62 m247.ro.shodan.io
85.25.43.94 rim.census.shodan.io
85.25.103.50 pacific.census.shodan.io
82.221.105.7 census11.shodan.io
82.221.105.6 census10.shodan.io
71.6.167.142 census9.shodan.io
71.6.165.200 census12.shodan.io
71.6.135.131 census7.shodan.io
66.240.236.119 census6.shodan.io
66.240.192.138 census8.shodan.io
198.20.99.130 census4.shodan.io
198.20.70.114 census3.shodan.io
198.20.69.98 census2.shodan.io
198.20.69.74 census1.shodan.io
188.138.9.50 atlantic.census.shodan.io
You may also like
November 2024’s Most Wanted Malware: Androxgh0st Leads the Pack, Targeting IoT Devices and Critical Infrastructure
Check Point Software’s latest threat index highlights the rise of ...
The Exploitation of Gaming Engines: A New Dimension in Cybercrime
Executive Summary Check Point Research discovered a new technique using ...
Navigating the Evolving Threat Landscape Ahead of Black Friday
As Thanksgiving and Black Friday approach, so do the risks ...
Spotlight on Iranian Cyber Group Emennet Pasargad’s Malware
Executive Summary On October 21, 2024, multiple emails impersonating the ...