Who’s knocking on my Ports ?
Preventing Costly mistakes in Server configuration
One of the most pervasive and destructive hazards that internet users now must deal with is ransomware. This is a family of malware that encrypts files stored on a computer or network drive and demands ransom to decrypt them.
A ransomware assault starts by infecting your device and running its files. The executable files connect to the criminal’s Command and Control (C&C) server and provide information about the host device as soon as they are run, either by the user or by another malicious program. Known as call home or C2 traffic, this connection typically employs the HTTP or HTTPS protocols on port 80 or 443.
For e.g. oOn an AWS EC2 instance, opening port 80 and forgetting to close it can result in unanticipated costs and possible security problems. It’s critical to comprehend the effects of such behaviour and take preventative measures to avoid reoccurring situations.
The most popular way for ransomware to infect a victim’s device is through spam email that contains a malicious attachment. It’s crucial to remember that infected attachments are typically Downloaders rather than ransomware. Their task is to establish a connection to the offender’s server and download a malicious payload—ransomware in this case. But during a single spam campaign, anything can alter more than once.
A downloader will connect to the malicious server after it has been launched. These servers are frequently put up right before the commencement of a spam campaign and taken down once the attack is over. Frequently, the downloaders come with a list of servers they can reach out to in case some are unavailable. Similar to ransomware, this connection typically makes use of the HTTP standard port 80 or the HTTPS standard port 443.
Ports are logical constructs that identify a specific type of network service. Each port is linked to a specific protocol, program or service, and has a port number for identification purposes. For instance, secured Hypertext Transfer Protocol (HTTPS) messages always go to port 443 on the server side, while port 1194 is exclusively for OpenVPN.
Open ports are most vulnerable to attack when the services listening to them are unpatched or insufficiently protected or misconfigured, which can lead to compromised systems and networks. In these cases, threat actors can use open ports to perform various cyberattacks that exploit the lack of authentication mechanisms in the TCP and UDP protocols. One common example is spoofing, where a malicious actor impersonates a system or a service and sends malicious packets, often in combination with IP spoofing and man-in-the-middle-attacks. The campaign against RDP Pipe Plumbing is one of the latest to employ such a tactic. In addition, ports that have been opened on purpose (for instance, on a web server) can be attacked via that port using application-layer attacks such as SQL injection, cross-site request forgery and directory traversal.
Importance of Oversight and Monitoring
It’s a real story; one day, my friend accidentally opened port 80 in the AWS security group while troubleshooting. Unfortunately, after his testing was finished, he forgot to delete the entry.
This simple oversight led to dire consequences that could have been easily avoided with proper attention to detail.
Despite the open port, nobody from the team noticed the actions he performed on the EC2. Lack of oversight can lead to costly mistakes that affect the client’s bottom line.
It’s a reminder of the importance of thorough monitoring and review of all actions taken within cloud environments.
At the end of the month, the client received a shockingly high bill of 40L from AWS. This unexpected expense caused significant stress and strain on the professional relationship.
The incident serves as a stark reminder of the financial implications of overlooking even the smallest detail within cloud services.
It’s important for IT professionals and developers to learn from stories like this and ensure that all activities in cloud environments are carefully monitored and managed.
By sharing this cautionary tale, we hope to foster a culture of accountability and attention to detail within the industry.
Vulnerable Ports that needs our Attention
- Ports 20 and 21 (FTP)
- Port 22 (SSH)
- Port 23 (Telnet)
- Port 25 (SMTP)
- Port 53 (DNS)
- Ports 137 and 139 (NetBIOS over TCP) and 445 (SMB)
- Ports 80, 443, 8080 and 8443 (HTTP and HTTPS)
- Ports 1433,1434 and 3306 (Used by Databases)
- Port 3389 (Remote Desktop)
Just few steps can help to prevent this type of disasters.
- Patch firewalls regularly
- Check ports regularly
- Use Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Use SSH Keys
- Conduct penetration tests and vulnerability assessments
- Always put an alert in billing amount
- Do not open port 80
- In case you are opening port 80 then do not allow 0.0.0.0/0 rather it should be your own IP address.
- If you can afford then go ahead and configure WAF.
