Looking at active Cyber Threats with LeakIX
by Eva Prokofiev
Yesterday I posted on my Twitter a discovery I made from one of my Chinese sources, what I discovered is an interesting search engine called 'LeakIX'.
"LeakIX is a an engine indexing all services and web applications on IPv4 & now IPv6"
LeakIX is quite a new project developed from Belgium, as it seems. Hence it is not widely recognized by researchers globally, However from my personal observation I think it has great potential to be the next best tool in the market, used by the OSINT community, penetration testers and malware researchers all together.
About the platform
LeakIX offers a web based platform that is very similar to Shodan, both visually and based on the queries used, however there are some capabilities that differentiate the two, which I find really interesting! Let's dive right in.
The platform's main focus and what I think it's value is at, is providing insight into compromised devices, servers and in particular database schemas on the internet, now yes, Shodan does quite the same thing by tagging 'compromised' servers, but not to this extent.
As we can see in the image above, we have an indexed asset (MariaDB) on port 3306, which In this scope the platform inspects found services for weak credentials, meaning :
- No credentials
- Weak credentials, widely used by botnets ( eg: root:root, admin:admin, 123456 )
- Storing table names + time the leak happened.
Some interesting features that 'LeakIX' offers, is that we as researchers can view the 'stats' page, which presents statistics of different services indexed, but the real gem is the actively tracked ransomware campaigns, this offers to me, as a researcher information on the latest campaigns and being able to keep track of what's the latest ransomware, or the latest malware campaign that currently in the wild.
This is very valuable information for threat intelligence companies to be able to pinpoint and provide real actionable threat intelligence on the latest cyber campaigns alongside their research. Now, I am not saying this is the only resources to rely on for that, but it definitely makes life easier.
Out of some of the platform's features it offers, it also provides insight into leaks indexed of different network operators, as present in this graph:
This gives threat actors, who are also looking for new fresh targets, for financial or other purposes, insight into most vulnerable or exploitable 'points' which they can use in their next cyber attack potentially.
As a side note - I think for me the most crucial part of my role as a researcher and Cyber threat Intelligence analyst who's been in this industry for over 5 years now, is to understand how to stand out, and think outside of the box. so every time I do my research and find something new, I want to know how to use it to the max and what is the value that it brings to my findings & research.
One of the things that I like most is the idea to index potentially 'leaked' or 'compromised' company data contained within these indexed databases and servers found on LeakIX, so not only to look based on company assets, but do a "reverse" search to find additional data.
Say we're looking for servers containing specific company data, using assets with customized keywords of our target company, what we can do is search for the target company name, which ideally means there could be third party companies, that have compromised data of our target.
This gives me as the researcher, more options to find something interesting but also enhance my area of research & scope, and for threat actors this could mean wider attack surface.
LeakIX has a page dedicated for information about queries they have, so you can check that out here https://leakix.net/syntax
To check interesting posts on new queries, or tracking new campaigns and keep yourself updated with the platform's newly developed capabilities as it grows, I would recommend to check out this twitter page, which does exactly that. https://twitter.com/leak_ix
As of now, LeakIX have the platform up and running and ready for use, what I am looking for is to see their further developments, as mentioned below these are the scopes of data they cover.
To summarize my discovery and the capabilities of LeakIX, I will say it has great potential, it is easy to use and provides us with "more" than other similar tools in the market at the moment, and especially if combined with additional data sources then it can be even more powerful.
About the Author
I'm the senior CTI Analyst for Accenture Security - Maglan. The majority of my experience is across the banking, government, telecom and healthcare sectors in the fields of cyber intelligence, threat operations and information security. Prior to Accenture, I was responsible creating and managing the CTI Projects, sales and client engagements, with focus on delivering successful high-quality actionable intelligence, tailored to provide a real understanding company’s targeted threats. My expertise is linguistic skills, my diverse intelligence background and targeted reconnaissance experience.
The article originally published at: https://www.linkedin.com/pulse/looking-active-cyber-threats-leakix-eva-prokofiev/
Read more articles of the author featured on our blog: