Cyble-Misconfigured-Network-Monitoring-Tool-Analysis

Misconfigured tool allows hackers insight into complete IT networks

Exposed Network Monitor Tool increases the risk of intrusion

Networks are the foundation of all enterprises globally. They are critical in supporting staff and clients across continents for administrative considerations. Networks enable organizations to consolidate their information and make it available only to those who require it.

So, how does one maintain your rapidly evolving network while providing a consistent, high-quality end-user experience? The optimal solution here is to use dependable Network Monitoring Solutions to track your networks’ availability, health, and performance over time.

When purchasing a network monitoring tool for your IT environment, it is critical to consider both your present and future demands because selecting the optimal choice among numerous network monitoring tools is critical. Some of the fundamental components of a network monitoring tool are:

  • Real-time monitoring
  • Comprehensive monitoring capabilities
  • Scalability
  • Automation
  • User Management

As numerous public and private organizations use network monitoring tools, the danger of supply chain attacks has never been greater due to new forms of attacks, increasing public knowledge of the hazards, and enhanced regulatory control. Meanwhile, attackers have more resources and tools than ever before, resulting in a perfect storm. 

For example, a hacker group gained access to computer systems belonging to multiple US government departments, including the Treasury and Commerce departments. The attack involved hackers breaching the infrastructure of SolarWinds. This company produces Orion – a network and application monitoring platform. The hacker group then proceeded to weaponize Orion to distribute trojanized updates to the software’s users.

While performing our routine investigation, Cyble Research Labs came across over 20,000 exposed instances of PRTG Network Monitor Solutions.

PRTG is a comprehensive network monitoring tool for Windows-based computers. It is suitable for networks of all sizes and capable of LAN, WAN, WLAN, and VPN monitoring. Organizations can also monitor real or virtual web, mail, file servers, Linux systems, Windows clients, routers, and various other devices.

Figure 1 shows the monitoring capabilities of PRTG.

Figure 1 – Monitoring Capabilities of PRTG

PRTG monitors network availability, bandwidth utilization, and other network characteristics like QoS, memory load, and CPU usage, even on remote computers. PRTG gives real-time readings and periodic use trends to system administrators to enhance the efficiency, layout, and configuration of leased lines, routers, firewalls, servers, and other network components.

The chart below shows the top 10 countries with exposed PRTG Network Monitor solutions.

Figure 2 – Top 10 countries with Exposed PRTG Network Monitor

As per our analysis, the United States has the highest number of exposed assets. A significant amount of exposure has also been observed in European Countries, as shown below.

Figure – 3 Exposed assets in the US and Europe

Analysis

Over the course of our analysis, multiple exposed PRTG Network Monitor Solutions were discovered, and a fair amount of them were still operating using the default passwords.

We also observed that both public and private organizations such as Government Ministries, Power & Energy organizations, private banks, and hospitals are currently using the product.

PRTG can monitor almost any object that has an IP address. It consists of the PRTG core server and one or more probes :

  • The PRTG core server is responsible for configuration, data management, PRTG web server, and more.
  • Probes collect data and monitor processes on devices via sensors  

Sensors are the building blocks of PRTG. A sensor can tell you about one or more aspects of a device:

  • Uptime
  • Load
  • Interface throughput
  • Bandwidth usage
  • Loading times
  • Speed
  • Hardware status
  • Temperature
  • Quality
  • Resource consumption
  • User counts
  • Record counts
  • Log events
  • Database requests

An attacker gaining access to the PRTG Network monitor can access the complete monitoring setup performed by the Network Administrator, as shown in Figure 4. This allows attackers to know the number of sensors deployed within the environment.

Figure 4 – Overview of Monitoring

Even though notifications pop up while logging into the PRTG Network Monitor with default passwords, operators typically ignore these notifications. We observed this from the PRTG Network Monitors using default credentials, as shown in Figure 5.

Figure 5 – Security Notifications

An attacker can gain access to the device tree, which showcases the IP addresses found during the scan performed by PRTG. Gaining access to this kind of information increases the attacker’s ability to customize their exploitation vector, as shown below.

Figure – 6 Device Information

An attacker can change the settings made for the network environment, as shown in figure 7. For example, to monitor Windows clients and servers via Windows Management Instrumentation (WMI), one can enter the Windows Administrator credentials for the network by disabling the inheritance setting provided by PRTG.

Figure 7 – Settings Option

An attacker can also lock out the current user from accessing the PRTG by changing the password from the user account, as shown in Figure 8. Doing this might hinder the day-to-day operations of a critical industry or organization.

Figure 8 – PRTG System Admin Settings

An attacker gaining access to the PRTG Dashboard can also change the settings of the scanning intervals set by the network admin, impacting log generation from the sensors. An attacker can also change settings to “do not log unusual events,” allowing intruders to hide their presence in the network, as shown in Figure 9.

Figure 9 – Scanning Interval Settings

An attacker can also gain persistence on the PRTG by adding an unknown user from the System Admin Settings, as shown below.

Figure 10 – Adding User Account

An attacker gaining access to the PRTG dashboard can raise false tickets and manipulate the ToDo list, resulting in chaos among the network and system admins, as shown in Figure 11.

Figure – 11 ToDo List

Impact

  • Attackers gaining insights into devices and the network infrastructure can launch more precise attacks on the organization.
  • Organizations can lose visibility of assets due to the manipulation performed by an attacker on the PRTG Network Monitoring solution.
  • As PRTG Network Monitoring Solution is also used by critical sectors and organizations dealing with Operational Technology (OT), a successful attack on this system can start a chain of events in the IT and OT environment.
  • Organizations using outdated PRTG Network monitors can suffer from Cross-site scripting, DDOS, or Remote Code Execution (RCE).
  • Sensitive information like the details of user accounts, sensors, SMTP delivery details, proxy details, etc., can be leaked by an attacker.
  • Attackers can create anonymous user accounts and sell the credentials for the same on the dark web.
  • Manipulating the PRTG core server can result in chaos among the network administrators as the attackers could restart and stop the services.
  • High risk of reputational loss for the organizations.

Conclusion

Network monitoring tools gather data in some form through active network devices, such as routers, switches, load balancers, servers, firewalls, or specialized probes, and analyze it to construct a picture of the network’s state.

Both collection and analysis are critical tasks of network monitoring tools. However, exposing them to the internet with default credentials and outdated software significantly raises the danger of infiltration for the enterprises using the product.

Thus, it is recommended that the solutions utilized to acquire insight into organizational networks must be secured on priority.

Recommendations

  1. Limit exposure of critical assets from the internet.
  2. Update the software to the latest version released by the trusted sources only.
  3. Monitor logs for unusual activities and login attempts.
  4. Follow a strong password policy within the organization.
  5. Place critical assets of the organization behind a firewall.

Disclaimer

All information provided in this blog is for general information and educational purposes only and for no other purpose. It is not intended and should not be construed to constitute advice of any nature whatsoever. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of independent advice based on the particular facts and circumstances presented, and nothing herein should be construed otherwise. The contents, opinions, and findings rendered are subjective. Cyble reserves the right to modify the contents of this blog at any time without prior notice. Although reasonable efforts have been made to include accurate and up-to-date information herein, however, Cyble makes no warranties or representations of any kind as to the accuracy, correctness, currency, or completeness of all the contents stated in the blog.  

The contents of the blog, any discrepancies or differences of any nature whatsoever, are not binding and have no legal effect for compliance or enforcement purposes or for any other purpose. You agree that access to and use of, and reliance in any manner on this blog, including all the contents thereof, is at your own risk. Cyble disclaims all warranties of any kind, express or implied. Neither Cyble nor any party involved in researching, creating, producing, or delivering this blog or anything related thereto shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this blog in any manner, or any errors or omissions in the content thereof.

Scroll to Top