Port scans are often underestimated due to spectacular types of attack such as phishing, brute force or DDoS (Distributed Denial of Service). But it is precisely the automated, systematic search for security gaps that opens up numerous, easy-to-use gateways for cyber criminals. Then they can install malware for espionage, data theft or ransomware.
In order to better understand the current threat situation from port scans, F5 Labs regularly examines global attack traffic in cooperation with Effluxio. Currently, scans of global honeypots with little interaction were analyzed over three quarters of 2021. This allows a comparison of the activities in the first two quarters (January to June) with those of the third quarter (July to September).
However, the connection attempts that emerge from these scans are not necessarily actually from the apparent source. According to the study, advanced attackers often use compromised infrastructure as a proxy botnet. During the period under review, Lithuania was one of the most important countries of origin for scans worldwide. But this is more likely to be attributed to Russian cyber attackers who hijacked the Lithuanian infrastructure.
Most frequently scanned ports
Also important for companies is the fact that the three most frequently scanned ports in the first three quarters of 2021 all concerned remote logins. An attacker receives direct access to a company’s infrastructure with a single successful authentication. They should therefore protect their services with patches and strong authentication. For system administrators and the associated increased privileges, even stricter controls should apply to remote management.
The three most common ports scanned are 5900 (VNC), 22 (SSH), and 3389 (RDP). However, their share decreased slightly in the course of 2021, while the number of scanned ports 3306 (MySQL), 21 (FTP) and 9200 (Elasticsearch API) increased. However, the scan does not necessarily show that the port can also be eavesdropped. A search on Shodan shows nearly 5 million ports open on 3389, over a million ports on 5900, and a whopping 21 million ports on 22.
Port 9200 scans in the third quarter of 2021
The increasingly scanned port 9200 is used by Elasticsearch. It was sixth worldwide in the third quarter (3.6% of total scan traffic). In the same period he was even among the top three in the USA. Why Elasticsearch? The program has recently been a source of many major data breaches, as identified in the Application Protection Reports 2019 and 2021. For this reason, it is strongly recommended to harden all APIs exposed to the Internet, especially the heavily affected APIs such as Elasticsearch.
The most common destinations
In order to determine whether a country is being attacked with unusual frequency, the first step is to determine the number of IP addresses. The number of around four billion IP addresses on the Internet varies from country to country, depending on usage and assignment. In the case of untargeted attacks, the attacked countries should have roughly the same regional shares in the Effluxio honeypot data. While the attack scan traffic to the US is roughly the same as the proportion of IP addresses assigned, most other countries do not. As an extreme outlier, Malaysia stands out, ranking second in the third quarter of 2021.
Attacks on Malaysia are spreading through China
As this is very unusual, the study took a closer look at attacks on Malaysia from July to September 2021. The three most commonly attacked ports in Malaysia were 3306 (79.53%), 5900 (14.31%) and 22 (3.83%). That was roughly to be expected, although 3306 (MySQL) is seven times more likely to be attacked in Malaysia than worldwide (11.3%).
Incoming scans to Malaysia came mainly from China (20.52%), the USA (15.90%), Lithuania (9.21%), Germany (9.16%) and Russia (8.41%). Lithuania appears to be an outlier here, but this result is consistent with other global attack traffic over the same period.
The real outlier is China, which scanned Malaysia almost twice as often as the internet average (11.2%). It looks like most of this traffic (20.83%) is coming from the Access Service Network (ASN) 37963, which is assigned to Alibaba China. This is also disproportionately high and is almost six times as high as the global average for this access network (3.6%).
This could be a dedicated campaign by cyber criminals using Alibaba scanners, but it could also be a statistical anomaly or a politically motivated attack. The available data cannot clarify this.
Who is Scanning the Internet?
The question of where the scans came from is easier to answer. The most unusual finding: Lithuania is the country of origin for most cyberattack scans in 2021. The Lithuanian Ministry of State Security itself explains the reason for this. It found in March that Russian cyber attackers had misused the country’s IT infrastructure to attack organizations that COVID-19 vaccines developed. In fact, it can be observed that the traffic originating from Lithuania is decreasing, presumably because the country has cleaned up the compromises, while the traffic originating from Russia is increasing again. However, this graph suggests that Germany could also have a similar problem.
The most important scan sources for access networks remained relatively the same in 2021. Serverius Holding Bv (AS50673) from the Netherlands once again tops the list with 33.8 percent and DigitalOcean (AS14061) with 10.3 percent. These two companies have been at the top for the past few years.
Recommendations for port protection
In order to ward off the types of attack discussed here, companies should introduce the following protective mechanisms:
- Hardening and patching exposed ports that are frequently attacked such as Elasticsearch APIs, VNC, and SSH
- Multifactor authentication for all remote logon services – if this is not possible: implement a robust password policy
- Use an antibot solution to reduce brute force and credential stuffing attacks on remote services
- Using firewalls to limit all unnecessary access to frequently attacked ports that need to be publicly accessible
- Disabling weak and unused protocols like Telnet
- Configure network access control so that administrative ports can only be accessed from officially defined IP address ranges