Criminal IP recently confirmed that the internal management system of a South Korean restaurant chain was exposed. The management system, which should be accessible only from within the organization, was exposed to the outside, allowing hackers to easily access internal systems. This article aims to introduce methods for detecting and preventing the exposure of internal management systems and CCTV using OSINT-based threat intelligence tools.
Detecting Internal Management System Exposure With Threat Intelligence Tools
Internal management systems, such as ERP and CRM, play a crucial role in managing important corporate data and optimizing business operations. However, due to the sensitive nature of personal and corporate information they handle, these systems are prime targets for hackers. Furthermore, if such systems are exposed externally, hackers can potentially steal critical information or exploit the system to install malicious software. For instance, the internal management system in this case contained sensitive details such as sales data, customer visit records, and other confidential information.
To analyze why the system was exposed publicly, we will introduce queries using a threat intelligence tool to verify the exposure of internal management systems. A search for the system’s IP address on Criminal IP revealed that port 12000, which is assigned for PLC tags, is open. The PLC tag is assigned to control software that can automate logical tasks such as on-off switches, temperature control, location tracking, sequencing, and calculations. Since the system was automated, Criminal IP classified it as PLC. In addition, the title of the system page was set in the format of ‘~ Management System’.
The detection results show that the port operating the management system was open, allowing external access. In such cases, it is crucial to immediately close the port to block external access. However, even a month after the discovery, the port for the affected service was still found to be open. This case allows us to identify the query that reveals exposed internal management systems.
While it is possible to search using either the tag: “PLC” or the title: “Management System” individually, narrowing the search scope can be more effective in identifying exposed systems like the case above. Using the title filter alone yielded a total of 228,549 detections, while searching for tag: “PLC” yields more than 60,000 exposed IP addresses. Combining the two queries yields more than 54,000 results.
Identifying Exposure Risks in Network-Connected CCTV Systems
In addition to internal management systems, CCTV (Closed-circuit television) cameras are also a significant risk for external exposure. Particularly, IP cameras connected to networks are often subject to privacy breaches due to exposed video feeds. Criminal IP has previously reported cases such as CCTV leaks from a plastic surgery clinic in Gangnam and directories of spy cameras from China. Similar to management systems, externally exposed CCTV cameras can also be identified through simple tag searches.
Searching by the IP camera tag, which is assigned to webcams, CCTVs, and more, reveals a total of more than 10,000 exposed IP camera servers. Among the exposed IP cameras, there were servers with multiple vulnerabilities with the system login page and exploit codes exposed to the public, making them extremely vulnerable.
While the exposure of the management system alone is a big risk, many open ports and vulnerabilities that administrators may not be aware of are frequently identified through threat intelligence tools. Given that the internal management systems and CCTV discussed in this article are prime targets for attackers, it is essential to implement regular network assessments, configure firewalls, and block unnecessary ports to prevent external exposure. Additionally, a system should be in place to monitor logs and respond immediately to suspicious activity.
Threat intelligence tools like Criminal IP can help check internal management systems and CCTV for exposure, while automated monitoring and risk management through attack surface management solutions also play a big role in quickly identifying external threats. Finally, if a port is unintentionally opened or potential external threat pathways are discovered, it is vital to promptly block these intrusion vectors.
For further information, you can refer to Brickstream’s ‘Authentication-Less’ People Counting System Leaves Camera and Settings Pages Unprotected article.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account now to explore the search results cited in the report and more extensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io/)
Related Articles :