Shodan Alert Details
Alert ID: SHODAN-EXPOSED-ASSETS-7842
Alert Time: 2024-02-09 14:15:33 EST
Severity: HIGH (85/100)
Source: Shodan Monitor
Rule: “New Exposed Asset Detected – Critical Infrastructure”
MITRE ATT&CK: T1596 – Search Open Technical Databases
Alert Details:
Asset Discovery: New publicly exposed asset detected on Shodan
IP Address: 203.0.113.142
Hostname: dev-gateway.company.com
Ports Open:
– 22: SSH (OpenSSH 7.9, banner: “Ubuntu-20.04”)
– 80: HTTP (nginx 1.18.0, title: “Development Portal”)
– 443: HTTPS (self-signed certificate, issuer: “Company Dev”)
– 3389: RDP (Windows Remote Desktop)
– 3306: MySQL (MySQL 5.7, accessible without auth – CRITICAL)
– 8080: Tomcat (Apache Tomcat 9.0.30, default credentials tested)
Banner Grabbing Results:
– HTTP: “Development Portal – Internal Use Only – DO NOT EXPOSE”
– MySQL: Accepting connections from any source (0.0.0.0)
– SSH: Password authentication enabled
– SSL Certificate: Contains internal hostnames: dev-db01.internal, dev-app01.internal
Geolocation: AWS us-east-1
First Seen: 2024-02-09 13:00 EST
Last Seen: 2024-02-09 14:00 EST
Threat Intelligence:
– IP belongs to development team’s AWS account
– Should be private (internal-only) per architecture diagrams
– MySQL exposed without authentication is critical severity
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Shodan findings
Shodan, AWS Console
Confirmed asset exposed; MySQL accessible
2. Asset Ownership
Identify responsible team
ServiceNow CMDB, AWS Tags
Development team owns instance
3. Immediate Remediation
Block public access
AWS Security Groups
Updated security group to restrict to internal IPs
4. Data Exposure Assessment
Check if data was accessed
AWS RDS Logs, VPC Flow Logs
No connections from external IPs (detected before access)
5. Root Cause Analysis
Determine why exposed
Infrastructure-as-Code Review
Terraform template had 0.0.0.0/0 in security group
6. Prevention
Fix IaC templates, add scanning
Terraform, Shodan Monitor
Updated templates; added pre-deployment scanning
Jira Incident Report
Ticket: SOC-2024-046
Summary: T1596 – Critical Development Asset Exposed on Shodan
Status: RESOLVED
Resolution: MISCONFIGURATION – Remediated
Priority: P1 – HIGH
Labels: T1596, shodan, exposed-assets, cloud-misconfiguration, development
Components: Cloud-Security, Infrastructure-as-Code
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Shodan Monitor.
Alert: “New Exposed Asset Detected – Critical Infrastructure”.
Asset: dev-gateway.company.com (203.0.113.142) in AWS us-east-1.
Time: 2024-02-09 14:15 EST (detected), exposed since 13:00 EST.
Technique: MITRE ATT&CK T1596 – Search Open Technical Databases.
2. Technical Analysis:
Exposure Details:
IP: 203.0.113.142 (AWS EC2 instance).
Open Ports:
22/SSH: OpenSSH 7.9, password auth enabled
80/HTTP: Development portal with internal-use notice
443/HTTPS: Self-signed cert with internal hostnames
3389/RDP: Windows Remote Desktop accessible
3306/MySQL: CRITICAL – No authentication required
8080/Tomcat: Default credentials possible
Exposure Duration: 1 hour (13:00-14:00 EST).
Impact Assessment:
MySQL database contained development data (no PII, but proprietary code).
No external connections observed in VPC Flow Logs.
Detected before any known compromise.
Root Cause:
Terraform template for development environment had:
ingress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [“0.0.0.0/0”] # SHOULD BE INTERNAL ONLY
}
Code reviewed but misconfiguration missed.
No pre-deployment security scanning.
3. Investigation Findings:
Timeline:
13:00 – Terraform apply executed by developer
13:05 – Instance launches with public IP
13:10 – Shodan scans AWS range, discovers instance
13:15 – Shodan indexes instance data
14:00 – Shodan Monitor detects and alerts
14:15 – SOC receives alert
14:20 – Investigation begins
14:25 – Security group updated to restrict access
14:30 – Instance confirmed no longer public
Indicators of Compromise (IoCs):
Network:
– IP: 203.0.113.142 (now secured)
– Ports: 22,80,443,3389,3306,8080 (all now restricted)
4. Containment Actions:
Immediate Remediation (14:20-14:30 EST):
Updated AWS security group to allow only internal corporate IPs.
Verified MySQL no longer publicly accessible.
Confirmed all ports restricted.
Forensic Analysis (14:30-15:30 EST):
Reviewed VPC Flow Logs for external connections: None found.
Checked MySQL logs for unauthorized access: None.
Verified no data exfiltration.
Permanent Fix (15:30-17:00 EST):
Updated Terraform templates with correct security group.
Implemented pre-deployment scanning (Checkov, tfsec).
Added Shodan monitoring to CI/CD pipeline.
5. Root Cause Analysis:
Primary Cause: Misconfigured Terraform security group allowing 0.0.0.0/0.
Contributing Factors:
No pre-deployment security scanning.
Code review missed the misconfiguration.
No automated checks for public exposure of sensitive services.
6. Business Impact:
Operational Impact: None (detected before compromise).
Data Exposure: Potential for development data; none confirmed.
Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
Security group corrected.
Terraform templates updated.
Pre-deployment scanning implemented.
Shodan monitoring integrated into CI/CD.
Development team trained on cloud security.
8. Conclusion:
This incident involved a critical misconfiguration exposing a development server with unauthenticated MySQL to the public internet. Rapid detection via Shodan allowed remediation before any observed compromise. Infrastructure-as-code templates have been fixed and scanning implemented.
Closure Rationale: Exposure eliminated; preventive controls implemented.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-09 17:30 EST