This article is based on an analysis shared by the Twitter-based threat intelligence specialist, Clandestine.
As cyber threats continue to grow more sophisticated in today’s digital landscape, an increasing number of critical digital assets are becoming externally exposed and targeted by attackers. In this environment, continuously identifying external exposure and emerging threats is essential, as is proactively identifying vulnerable assets before they become targets for attackers.
In this post, we present the results of a global Open Source Intelligence (OSINT) investigation aimed at identifying and analyzing the exposure of critical digital assets on the internet. The investigation focused on 7 high-risk service categories, revealing a massive attack surface of more than 330,000 exposed instances worldwide.
Global Exposure Overview
Using Criminal IP Asset Search to analyze globally exposed assets across selected categories, the results can be summarized as follows.
| # | Exposure Category | Criminal IP Asset Search Query | Search Results |
|---|---|---|---|
| 1 | Dev/Staging | title:dev OR title:staging OR title:test AND port:443 | 136,612 |
| 2 | Kubernetes Dashboard | title:”Kubernetes Dashboard” AND port:8443 | 140 |
| 3 | Grafana Dashboard | title:Grafana AND port:3000 AND status_code:200 | 87,213 |
| 4 | Elasticsearch | product:Elasticsearch AND port:9200 | 15,991 |
| 5 | Redis | product:Redis AND port:6379 | 46,583 |
| 6 | Jenkins CI/CD | product:Jenkins AND port:8080 | 241 |
| 7 | phpMyAdmin | title:”phpMyAdmin” AND status_code:200 | 48,428 |
Detailed Results and Analysis by Category
1. Exposed Development and Staging Environments
Development, staging, and test environments are primary targets for attackers due to their inherently less secure nature. The search results revealed that these environments are globally distributed, with a high concentration in the United States and Asia Pacific. They often contain real production data, weak credentials, and enabled debug mode, representing a critical risk of data exposure and an entry point for more sophisticated attacks worldwide.
Criminal IP Search Query: title:dev OR title:staging OR title:test AND port:443
2. Exposed Kubernetes Dashboards
The exposure of Kubernetes Dashboards is one of the most critical vulnerabilities in cloud environments. The search results identified 140 exposed dashboards, with China leading the exposure, followed by Germany and the United States. The exposure of ports like 2379 and 10250 along with the dashboard allows for complete control of the cluster, exfiltration of secrets, and remote code execution, enabling ransomware, cryptojacking and supply chain attacks on a global scale.
Criminal IP Search Query: title:”Kubernetes Dashboard” AND port:8443
3. Exposed Grafana Servers
Exposed Grafana servers pose a massive risk of business and infrastructure intelligence leakage. The results identified 87,213 instances globally. Exploitation of vulnerabilites like CVE-2021-43798 can lead to arbitrary file reading and extraction of data source credentials, impacting organizations worldwide.
Criminal IP Search Query: title:Grafana AND port:3000 AND status_code:200
4. Exposed Elasticsearch
Exposed Elasticsearch is a classic vector for mass data breaches. The results identified 15,991 instances globally. Some of Elasticsearch assets are exposed without authentication. The lack of authentication allows attackers to access, modify, or delete all stored data. Exploitation of vulnerabilities like CVE-2014-3120 (RCE) can lead to full server control.
Criminal IP Search Query: product:Elasticsearch AND port:9200
5. Exposed Redis Assets
Exposed Redis is a critical risk due to its ability to execute commands on the underlying operating system. The results identified 46,583 instances related to Redis worldwide. Attackers can use Redis to write web shells, add SSH keys to authorized_keys for persistent access, or use the server as a pivot for internal network attacks.
The extraction of session and cache data is also a significant global risk.
Criminal IP Search Query: product:Redis AND port:6379
6. Exposed Jenkins Servers
Exposed Jenkins is a high-impact supply chain attack vector. The results identified 241 instances globally. If unauthorized access to Jenkins occurs, it can lead to the theft of source code, production credentials, and the injection of malicious code into build pipelines, compromising the entire software development chain. Exploitation of CVE-2024-23897 is a common technique to extract credentials and initiate more complex attacks.
Criminal IP Search Query: product:Jenkins AND port:8080
7. Exposed phpMyAdmin
phpMyAdmin remains one of the most popular targets for attackers due to its prevalence and the frequency of weak or default credentials. The results identified 48,428 instances.
Criminal IP Search Query: title:”phpMyAdmin” AND status_code:200
Conclusion
These results demonstrated the vast global attack surface presented by critical services exposed on the internet. The ease with which these assets can be identified using OSINT tools like Criminal IP underscores the need for a proactive security posture.
Mitigation recommendations for all categories include:
- Never expose management interfaces to the internet: Use VPNs, IP whitelisting, or authentication proxies.
- Implement strong authentication: Disable anonymous access and use multi-factor authentication (MFA).
- Keep software updated: Apply security patches to fix known CVEs.
- Principle of least privilege: Configure RBAC and ensure service accounts have minimum permissions.
- Continuous monitoring: Use attack surface management (ASM) tools like Criminal IP ASM to detect exposures in real-time.
In the modern cybersecurity landscape, correlating data across different queries can reveal attacker infrastructures and ongoing attack campaigns on a global scale. Organizations also need to go beyond conventional security practices and shift toward approaches that emphasize continuous management of the external attack surface.
In relation to this, you can refer to Criminal IP Dorks Cheat Sheet: A Practical Guide to Threat Intelligence Queries (Part 1).
Source: Criminal IP(https://www.criminalip.io/), MITRE. Common Vulnerabilities and Exposures (https://www.cve.org/)
Related Article: https://www.criminalip.io/knowledge-hub/blog/28330