Search Open Websites/Domains

Information

• Name: Search Open Websites/Domains

• ID: T1593

• Tactics: TA0043

• Sub-Technique: T1593.002, T1593.003, T1593.001

Introduction

"Search Open Websites/Domains" is a reconnaissance technique categorized under the MITRE ATT&CK framework (ID: T1593). It involves adversaries searching publicly accessible websites, databases, or domain information services to gather sensitive data or intelligence about targeted organizations. Attackers leverage this technique to identify potential vulnerabilities, employee details, infrastructure information, and other valuable intelligence that can facilitate further attacks.

Deep Dive Into Technique

Adversaries executing this technique typically rely on publicly accessible resources to perform passive reconnaissance. This method does not directly interact with the target's infrastructure, reducing the likelihood of detection during initial stages. Common execution methods and mechanisms include:

• Domain Information Gathering:

  • Utilizing WHOIS databases to obtain domain registration details (registrant names, email addresses, physical addresses, phone numbers, registrar details, DNS servers).

  • Analyzing DNS records (MX, TXT, SPF, DMARC, NS records) to identify mail servers, security configurations, and third-party services.

• Website Analysis:

  • Crawling publicly accessible websites to discover sensitive documents, organizational charts, employee information, or project details.

  • Searching for exposed directories, configuration files, or backups inadvertently published online.

• Third-Party Data Sources:

  • Leveraging online databases and archives (e.g., Internet Archive's Wayback Machine, Shodan, Censys, HaveIBeenPwned) to find previously exposed or leaked data.

  • Using search engines (Google, Bing) with advanced search operators ("Google dorks") to locate sensitive files, directories, or resources unintentionally indexed online.

• Social Media and Professional Networks:

  • Scanning LinkedIn, Twitter, GitHub, and other social media platforms to gather employee details, technology stack information, and organizational structure.

Attackers often automate these searches using scripts or specialized reconnaissance tools (e.g., Recon-ng, theHarvester, Maltego) to streamline the process and efficiently aggregate data.

When this Technique is Usually Used

This reconnaissance technique is commonly employed during the initial stages of an attack lifecycle, primarily in the preparation and planning phases. Specific scenarios and stages include:

• Initial Reconnaissance:

  • Identifying organizational structure, employee roles, and contact information to facilitate social engineering attacks (phishing, spear-phishing).

  • Collecting technical details about the organization's infrastructure to plan targeted attacks.

• Pre-attack Intelligence Gathering:

  • Locating publicly exposed vulnerabilities or misconfigurations (e.g., open directories, unprotected databases).

  • Identifying third-party services or vendors associated with the target organization, potentially allowing attackers to pivot from less secure third-party entities.

• Credential Harvesting:

  • Discovering previously leaked credentials or email addresses to facilitate brute force or credential stuffing attacks.

• Supply Chain Attacks:

  • Identifying third-party vendors, suppliers, or partners to exploit indirect attack vectors against the targeted organization.

How this Technique is Usually Detected

Detection of this passive reconnaissance technique is challenging due to its non-intrusive nature. However, organizations can employ several methods and tools to identify potential reconnaissance activities:

• Monitoring and Analysis:

  • Regularly reviewing web server and DNS query logs for abnormal patterns or increased frequency of access to certain resources.

  • Analyzing website traffic analytics for unusual spikes or repeated access to sensitive pages and directories.

• Honeypots and Canary Tokens:

  • Deploying honeypot resources or canary documents on public-facing websites to detect unauthorized access attempts.

  • Embedding unique identifiers within publicly exposed documents to track unauthorized redistribution or access.

• Open-Source Intelligence (OSINT) Monitoring:

  • Actively monitoring search engines, data leak repositories, and online forums for mentions of organization-specific information.

  • Utilizing OSINT monitoring tools (e.g., SpiderFoot, Recorded Future, Digital Shadows) to detect sensitive data leaks or reconnaissance attempts.

• Automated Tools and Services:

  • Employing security tools like Shodan Monitor, Censys, or RiskIQ to proactively monitor publicly accessible infrastructure and detect unintended exposures.

  • Regularly scanning publicly accessible resources using automated vulnerability assessment tools to identify and mitigate potential exposure.

Specific Indicators of Compromise (IoCs) associated with this technique include:

• Unusual spikes in access to specific sensitive web pages or directories.

• Discovery of organizational data on external databases or forums.

• Detection of organizational email addresses or credentials in breach databases.

• Suspicious DNS queries or WHOIS lookups originating from known malicious IP addresses.

Why it is Important to Detect This Technique

Early detection of adversaries performing passive reconnaissance through open websites and domains is crucial for several reasons:

• Preventing Initial Compromise:

  • Early detection enables organizations to proactively mitigate vulnerabilities or remove sensitive information before attackers exploit them.

  • Identifying reconnaissance activity can help prevent targeted phishing or social engineering attacks by alerting employees and reinforcing security awareness.

• Reducing Attack Surface:

  • Detecting external reconnaissance can prompt organizations to review and tighten their security posture, remove unnecessary exposures, and implement better data protection practices.

  • Early identification of exposed infrastructure or leaked credentials reduces the overall risk of successful exploitation.

• Limiting Damage and Impact:

  • Early detection allows organizations to initiate incident response processes promptly, reducing potential damage and minimizing operational disruptions.

  • Preventing attackers from successfully gathering detailed intelligence can significantly impede their ability to orchestrate effective targeted attacks.

• Protecting Reputation and Compliance:

  • Early detection and remediation reduce the likelihood of successful breaches, thus protecting organizational reputation and avoiding regulatory penalties due to data breaches or non-compliance.

Examples

Real-world examples demonstrating the use of "Search Open Websites/Domains" technique include:

• APT28 (Fancy Bear):

  • Attack Scenario: Conducted extensive reconnaissance through publicly accessible websites, social media, and domain registration data to identify potential targets for spear-phishing campaigns.

  • Tools Used: Custom scripts, Maltego, Recon-ng.

  • Impact: Successful phishing campaigns leading to compromised email accounts and exfiltration of sensitive political and military information.

• FIN7 Cybercrime Group:

  • Attack Scenario: Used publicly available job postings and employee information from LinkedIn and corporate websites to craft highly targeted spear-phishing emails.

  • Tools Used: LinkedIn scraping scripts, theHarvester.

  • Impact: Compromise of retail and hospitality sector organizations, theft of financial data, and significant financial losses.

• Operation Cloud Hopper (APT10):

  • Attack Scenario: Leveraged open DNS records, WHOIS databases, and website content to identify managed service providers (MSPs) and their clients, enabling subsequent supply chain attacks.

  • Tools Used: Recon-ng, passive DNS databases, Shodan.

  • Impact: Large-scale compromise of MSP infrastructures, leading to unauthorized access to multiple client networks and theft of sensitive intellectual property.

• Magecart Attacks:

  • Attack Scenario: Scanned publicly accessible websites and domains using automated tools to identify e-commerce platforms with outdated or vulnerable software versions.

  • Tools Used: Shodan, Censys, custom web-crawling scripts.

  • Impact: Injection of malicious JavaScript code into checkout pages, leading to theft of customer payment information and significant financial and reputational damage.

• Anonymous Hacktivist Operations:

  • Attack Scenario: Utilized Google dorks and publicly accessible directories to find sensitive documents, configuration files, and exposed databases belonging to targeted organizations.

  • Tools Used: Google advanced search operators, custom scripts, open-source reconnaissance tools.

  • Impact: Public disclosure of sensitive organizational data, defacement of websites, and reputational harm.

These examples illustrate the diverse scenarios, tools, and impacts associated with the "Search Open Websites/Domains" reconnaissance technique and highlight the critical importance of proactive detection and mitigation.