Shodan Alert Details
Alert ID: SHODAN-EXPOSED-ASSETS-7842
Alert Time: 2024-02-09 14:15:33 EST
Severity: HIGH (85/100)
Source: Shodan Monitor
Rule: “New Exposed Asset Detected – Critical Infrastructure”
MITRE ATT&CK: T1596 – Search Open Technical Databases
Alert Details:
Asset Discovery: New publicly exposed asset detected on Shodan
IP Address: 203.0.113.142
Hostname: dev-gateway.company.com
Ports Open:
– 22: SSH (OpenSSH 7.9, banner: “Ubuntu-20.04”)
– 80: HTTP (nginx 1.18.0, title: “Development Portal”)
– 443: HTTPS (self-signed certificate, issuer: “Company Dev”)
– 3389: RDP (Windows Remote Desktop)
– 3306: MySQL (MySQL 5.7, accessible without auth – CRITICAL)
– 8080: Tomcat (Apache Tomcat 9.0.30, default credentials tested)
Banner Grabbing Results:
– HTTP: “Development Portal – Internal Use Only – DO NOT EXPOSE”
– MySQL: Accepting connections from any source (0.0.0.0)
– SSH: Password authentication enabled
– SSL Certificate: Contains internal hostnames: dev-db01.internal, dev-app01.internal
Geolocation: AWS us-east-1
First Seen: 2024-02-09 13:00 EST
Last Seen: 2024-02-09 14:00 EST
Threat Intelligence:
– IP belongs to development team’s AWS account
– Should be private (internal-only) per architecture diagrams
– MySQL exposed without authentication is critical severity
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify Shodan findings | Shodan, AWS Console | Confirmed asset exposed; MySQL accessible |
| 2. Asset Ownership | Identify responsible team | ServiceNow CMDB, AWS Tags | Development team owns instance |
| 3. Immediate Remediation | Block public access | AWS Security Groups | Updated security group to restrict to internal IPs |
| 4. Data Exposure Assessment | Check if data was accessed | AWS RDS Logs, VPC Flow Logs | No connections from external IPs (detected before access) |
| 5. Root Cause Analysis | Determine why exposed | Infrastructure-as-Code Review | Terraform template had 0.0.0.0/0 in security group |
| 6. Prevention | Fix IaC templates, add scanning | Terraform, Shodan Monitor | Updated templates; added pre-deployment scanning |
Jira Incident Report
Ticket: SOC-2024-046
Summary: T1596 – Critical Development Asset Exposed on Shodan
Status: RESOLVED
Resolution: MISCONFIGURATION – Remediated
Priority: P1 – HIGH
Labels: T1596, shodan, exposed-assets, cloud-misconfiguration, development
Components: Cloud-Security, Infrastructure-as-Code
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Shodan Monitor.
- Alert: “New Exposed Asset Detected – Critical Infrastructure”.
- Asset: dev-gateway.company.com (203.0.113.142) in AWS us-east-1.
- Time: 2024-02-09 14:15 EST (detected), exposed since 13:00 EST.
- Technique: MITRE ATT&CK T1596 – Search Open Technical Databases.
2. Technical Analysis:
- Exposure Details:
- IP: 203.0.113.142 (AWS EC2 instance).
- Open Ports:
- 22/SSH: OpenSSH 7.9, password auth enabled
- 80/HTTP: Development portal with internal-use notice
- 443/HTTPS: Self-signed cert with internal hostnames
- 3389/RDP: Windows Remote Desktop accessible
- 3306/MySQL: CRITICAL – No authentication required
- 8080/Tomcat: Default credentials possible
- Exposure Duration: 1 hour (13:00-14:00 EST).
- Impact Assessment:
- MySQL database contained development data (no PII, but proprietary code).
- No external connections observed in VPC Flow Logs.
- Detected before any known compromise.
- Root Cause:
- Terraform template for development environment had:
ingress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [“0.0.0.0/0”] # SHOULD BE INTERNAL ONLY
}
- Code reviewed but misconfiguration missed.
- No pre-deployment security scanning.
3. Investigation Findings:
- Timeline:
13:00 – Terraform apply executed by developer
13:05 – Instance launches with public IP
13:10 – Shodan scans AWS range, discovers instance
13:15 – Shodan indexes instance data
14:00 – Shodan Monitor detects and alerts
14:15 – SOC receives alert
14:20 – Investigation begins
14:25 – Security group updated to restrict access
14:30 – Instance confirmed no longer public
- Indicators of Compromise (IoCs):
Network:
– IP: 203.0.113.142 (now secured)
– Ports: 22,80,443,3389,3306,8080 (all now restricted)
4. Containment Actions:
- Immediate Remediation (14:20-14:30 EST):
- Updated AWS security group to allow only internal corporate IPs.
- Verified MySQL no longer publicly accessible.
- Confirmed all ports restricted.
- Forensic Analysis (14:30-15:30 EST):
- Reviewed VPC Flow Logs for external connections: None found.
- Checked MySQL logs for unauthorized access: None.
- Verified no data exfiltration.
- Permanent Fix (15:30-17:00 EST):
- Updated Terraform templates with correct security group.
- Implemented pre-deployment scanning (Checkov, tfsec).
- Added Shodan monitoring to CI/CD pipeline.
5. Root Cause Analysis:
- Primary Cause: Misconfigured Terraform security group allowing 0.0.0.0/0.
- Contributing Factors:
- No pre-deployment security scanning.
- Code review missed the misconfiguration.
- No automated checks for public exposure of sensitive services.
6. Business Impact:
- Operational Impact: None (detected before compromise).
- Data Exposure: Potential for development data; none confirmed.
- Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
Security group corrected.
Terraform templates updated.
Pre-deployment scanning implemented.
Shodan monitoring integrated into CI/CD.
Development team trained on cloud security.
8. Conclusion:
This incident involved a critical misconfiguration exposing a development server with unauthenticated MySQL to the public internet. Rapid detection via Shodan allowed remediation before any observed compromise. Infrastructure-as-code templates have been fixed and scanning implemented.
Closure Rationale: Exposure eliminated; preventive controls implemented.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-09 17:30 EST