Skip to main content

2019-009: Securing unprotected network and data services

The Australian Cyber Security Centre (ACSC), the cyber defensive component of the Australian Signals Directorate (ASD), has observed a large number of unprotected network and database/storage services hosted on Australian Internet Protocol (IP) address ranges.

Alert status
HIGH

This exposure may lead to data contained in these services being compromised. The ACSC urges organisations to check their externally facing internet services and ensure appropriate access controls and protections are in place.

Details

As part of the ACSC, the Australian Internet Security Initiative (AISI) operates as a public-private partnership where Australian internet providers and other network owners voluntarily work with the ACSC to help protect their customers and/or themselves from cyber security threats.

The program helps to reduce malicious software (malware) infections and service vulnerabilities occurring on Australian IP address ranges. Daily email reports are sent to internet providers identifying IP addresses on their networks observed as being infected by malware or potentially vulnerable to exploitation. Internet providers are encouraged to use the AISI data to identify and inform affected customers about their malware infection or service vulnerability. This includes providing advice to customers on how they can remove the malware or secure the vulnerable service.

Over recent weeks, the ACSC has received a number of reports about cyber security incidents that could have been prevented if the affected party had signed up to the free AISI program and actioned the alert data it provides.

The web-facing services reported through the AISI are often vulnerable because they have inadequate authentication and access control processes in place. Malicious actors are known to exploit these types of vulnerable services in order to commit further cyber attacks such as:

  • Ransomware Theft and/or modification of data and intellectual property
  • Business disruption
  • Denial of Service attacks
  • Advanced Persistent Threat (APT) entry into key business sectors
  • Other harmful activities to either the service owner or other interest users.

The two graphs below illustrate some key vulnerable services identified through the AISI during the first quarter of 2019. Note that there are a lot of other vulnerable services that are detected through AISI monitoring, but they do not appear in these charts. For example, the first graph shows that there were around 500 open Mongo Databases and 100 ElasticSearch Databases detected each day across Australia, while the second graph indicates that there were around 20,000 open network services that were potentially vulnerable to exploitation.

Graph showing that that there were around 500 open Mongo Databases and 100 ElasticSearch Databases detected each day across Australia

Graph indicating that there were around 20,000 open network services that were potentially vulnerable to exploitation.