Security researchers recently reported that a U.S. military-related email server hosted on Microsoft Azure's¹ cloud service was left unprotected and openly accessible to the public on the Internet for up to two weeks. While the service was eventually secured, the email server allegedly contained internal U.S. military messages, including sensitive personal information and a Standard Form 86² (SF-86), the questionnaire required to gain secret or top secret security clearance. While researchers identified the exposed infrastructure as part of a larger cluster of servers, they believe it is most likely civilian-oriented.
The exposed email server appears to have not been properly configured, and operating without password protection, which led to widespread online exposure. While the affected government agency claimed that no malicious actor had hacked the vulnerable systems, public exposure of sensitive servers represents a severe security breach opening the doors for cybercriminals to access unsecured data that could be misused in future attacks, cyber espionage, or intelligence gathering.
Threat actors often use a technique called Google dorking³ to access vulnerable email servers similar to the recently exposed military-related server. This well-known cybercriminal technique targets the Google search engine with specific queries, search strings, operators, and keywords to find sensitive information and vulnerabilities in websites and computer systems. Google dorking reveals otherwise inaccessible information that can include login credentials, confidential documents, unsecured email, and File Transfer Protocol (FTP) servers, among other items.
Security experts have long warned about the dangers of Google dorking, and its potential to expose organizations to cyber attacks. Companies and government agencies that lack proper security measures remain particularly vulnerable to Google dorking, leaving these entities open to network intrusions, data breaches, and other malicious activities. While Google has implemented various measures to address the threat, dorking remains a widely used cybercriminal technique, posing a significant risk to organizations that need to properly secure their systems.
Sensitive defense industry information is prized among cybercriminals and Cybersixgill recently observed a member of an established underground forum selling data belonging to the American military and an intergovernmental military alliance. The forum member, whose alias references Google dorking, claimed the sensitive data would be sold to one buyer only, directing potential customers to reach out in private messages for further details. In several replies, forum members complained that the advertiser's inbox was full, asking for alternate contact information.
Figure 1: Sensitive U.S. military-related data advertised on a cybercrime forum
In another post on the forum, Cybersixgill observed a member with a low reputation score leaking an Italian online nutrition store’s database, stolen during a data breach. According to the forum member, Google dorking helped the threat actor hack the site and leverage the victim’s server misconfigurations. Cybersixgill analyzed the threat actor’s other posts on the forum, which revealed frequent use of Google dorking to steal victims’ databases.
Figure 2: Forum post crediting Google dorking as a primary method to steal databases.
Finally, Cybersixgill collected the following post from another cybercrime in which a Russian-speaking member with a good reputation score shared Google dorking instructions on how to access vulnerable resources, such as credentials, FTP servers, Secure Shell⁴ (SSH) private keys, and more. Specifically, the forum member shared a Google dork query for discovering corporate email lists contained in exposed Excel files, including a screenshot of the query’s results. These email addresses could be subsequently misused for spearphishing campaigns and other forms of fraud. In addition, the forum member shared a query enabling threat actors to access web pages of live unsecured surveillance cameras, attaching related screenshots as proof. Malicious actors could access these surveillance cameras to gather strategic intelligence on targeted entities.
Figure 3: A cybercrime forum member shares Google dorking queries to spot unprotected data
Inadequate security hygiene can lead to the exposure of sensitive resources and information online, which can have severe consequences for affected organizations and related entities. Indeed, malicious actors could have accessed the unprotected U.S. military-related email server, reaching sensitive information valuable for spearphishing schemes or strategic intelligence that could benefit enemy states and cybercriminals alike.
Using relatively simple methods such as Google dorking, malicious actors can identify and abuse vulnerable resources in attacks. With this technique in mind, website and system administrators must take the necessary steps to secure corporate systems against potential attacks. This includes implementing strong security protocols and policies to protect against the exposure of corporate data online and regularly performing vulnerability scans to proactively detect and quickly mitigate any flaws targeting corporate software and valuable information.
Cybersixgill automatically aggregates data leaks and alerts customers in real time.
1Microsoft Azure, often referred to as Azure, is a cloud computing platform operated by Microsoft that provides access, management, and development of applications and services via around the world-distributed data centers.
2The in-depth SF-86 questionnaire is used to identify employment applicants who pose security risks. It gathers information about individuals’ backgrounds, employment, and personal lives.
3While Google dorking can be used for legitimate purposes, such as research and testing, attackers often implement it in the reconnaissance phase, prior to gaining unauthorized access to systems and stealing sensitive information.
4SSH is a network communication protocol that enables two computers to share data and communicate (CF.http, or hypertext transfer protocol, is used to transfer hypertext, such as web pages).
You may also like
March 28, 2023
Threat Actors Sell Cybersecurity Firms' Sensitive Data on the UndergroundRead more
March 07, 2023
These are the critical differences between underground internet data dumps of logs, credentials, and accountsRead more
March 03, 2023