Looking at active Cyber Threats with LeakIX - Pentestmag

Looking at active Cyber Threats with LeakIX


Looking at active Cyber Threats with LeakIX

by Eva Prokofiev

Yesterday I posted on my Twitter a discovery I made from one of my Chinese sources, what I discovered is an interesting search engine called 'LeakIX'.

LeakIX search engine"LeakIX is a an engine indexing all services and web applications on IPv4 & now IPv6"

LeakIX is quite a new project developed from Belgium, as it seems. Hence it is not widely recognized by researchers globally, However from my personal observation I think it has great potential to be the next best tool in the market, used by the OSINT community, penetration testers and malware researchers all together.

About the platform

LeakIX offers a web based platform that is very similar to Shodan, both visually and based on the queries used, however there are some capabilities that differentiate the two, which I find really interesting! Let's dive right in.

The platform's main focus and what I think it's value is at, is providing insight into compromised devices, servers and in particular database schemas on the internet, now yes, Shodan does quite the same thing by tagging 'compromised' servers, but not to this extent.

Indexing for 'vulnerable' & 'compromised' DB servers

As we can see in the image above, we have an indexed asset (MariaDB) on port 3306, which In this scope the platform inspects found services for weak credentials, meaning :

  • No credentials
  • Weak credentials, widely used by botnets ( eg: root:root, admin:admin, 123456 )
  • Storing table names + time the leak happened.

Some interesting features that 'LeakIX' offers, is that we as researchers can view the 'stats' page, which presents statistics of different services indexed, but the real gem is the actively tracked ransomware campaigns, this offers to me, as a researcher information on the latest campaigns and being able to keep track of what's the latest ransomware, or the latest malware campaign that currently in the wild.

This is very valuable information for threat intelligence companies to be able to pinpoint and provide real actionable threat intelligence on the latest cyber campaigns alongside their research. Now, I am not saying this is the only resources to rely on for that, but it definitely makes life easier.

Currently active ransomware campaigns as of August 7

Out of some of the platform's features it offers, it also provides insight into leaks indexed of different network operators, as present in this graph:

Leaks by network operator time graph

This gives threat actors, who are also looking for new fresh targets, for financial or other purposes, insight into most vulnerable or exploitable 'points' which they can use in their next cyber attack potentially.

As a side note - I think for me the most crucial part of my role as a researcher and Cyber threat Intelligence analyst who's been in this industry for over 5 years now, is to understand how to stand out, and think outside of the box. so every time I do my research and find something new, I want to know how to use it to the max and what is the value that it brings to my findings & research.

One of the things that I like most is the idea to index potentially 'leaked' or 'compromised' company data contained within these indexed databases and servers found on LeakIX, so not only to look based on company assets, but do a "reverse" search to find additional data.

Say we're looking for servers containing specific company data, using assets with customized keywords of our target company, what we can do is search for the target company name, which ideally means there could be third party companies, that have compromised data of our target.

No alt text provided for this image

This gives me as the researcher, more options to find something interesting but also enhance my area of research & scope, and for threat actors this could mean wider attack surface.

LeakIX has a page dedicated for information about queries they have, so you can check that out here https://leakix.net/syntax

No alt text provided for this image
No alt text provided for this image

To check interesting posts on new queries, or tracking new campaigns and keep yourself updated with the platform's newly developed capabilities as it grows, I would recommend to check out this twitter page, which does exactly that. https://twitter.com/leak_ix

No alt text provided for this image

As of now, LeakIX have the platform up and running and ready for use, what I am looking for is to see their further developments, as mentioned below these are the scopes of data they cover.

To summarize my discovery and the capabilities of LeakIX, I will say it has great potential, it is easy to use and provides us with "more" than other similar tools in the market at the moment, and especially if combined with additional data sources then it can be even more powerful.

About the Author

Cyber Threat Intelligence Expert with close to 10 years of experience in information security, Eva's expertise and passion is making organizations secure, bring value and awareness of their real cyber threats.

The article originally published at: https://www.linkedin.com/pulse/looking-active-cyber-threats-leakix-eva-prokofiev/

Read more articles of the author featured on our blog:

October 24, 2020
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Oldest Most Voted
Inline Feedbacks
View all comments
2 months ago

There’s a list of LeakIX/i9Scanner bot IP addresses at the link below. I’m blocking these from reaching any of my systems.


who wouldhavethought
who wouldhavethought
3 years ago

This is bullshit – it is not a “useful resource”, it is a *dangerous* resource, ie it allows you to search for compromised systems which can then be hacked. This sort of bullshit should not be allowed. If it finds compromised systems it should report those to the relavant people, not publish the vulnerability on the web for all to see. This website is almost literally like someone going round all the houses in a town, trying all the doors and windows, and then publishing a list of all the houses with unlocked doors and windows, when the appropriate ethical… Read more »

1 year ago

Even more fun:

The bot they use to scrape websites doesn’t even attempt to fetch robots.txt, instead relying on you sending an email to opt out of their garbage, which is absolute BS.

Coupled with them using DigitalCesspool for hosting said bot you know they’re a scummy outfit, before even considering the rest of their behaviour.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023