As organizations increase the number of their internet-facing devices and systems, their exposure to cyberattacks increases accordingly. Chief among these potential exposures are the various server protocols that allow internet-connected devices and processes to communicate with each other. These include proxy and communication servers, network management servers, database servers, email and authentication servers, and more.
To address this potential exposure, the current release of Cortex Xpanse Attack Surface Management can discover 60 additional servers and identify where they are being used within your organization. The servers can generally be grouped into categories based on their functionality and potential risks:
- Proxy and Communication Servers including Apple Remote Desktop (ARD), BitTorrent DHT, BitTorrent, BitTorrent UDP Tracker, Citrix ICA, constrained application protocol (CoAP), internet content adaptation protocol (ICAP), IRC, routing information protocol (RIP), SOCKS4, SOCKS5, Skinny, TeamSpeak, Tor Control, WS-Discovery, and XDMCP. These servers provide communication or proxy services to clients. Exposing these servers could allow attackers to intercept communication or use them as a proxy for malicious activities.
- Network Management Servers including ASF-RMCP, Erlang Port Mapper Daemon (EPMD), Firewall-1 SecuRemote Topology, MikroTik Bandwidth, PC WORX, Ubiquiti Discovery, and WDBRPC.. These servers provide network management services, allowing administrators to monitor or manage network devices. Exposing these servers could allow attackers to manipulate network settings, leading to network slowdowns or downtime.
- Database Servers including DB2, Firebird, Neo4j Bolt, and RethinkDB. These servers provide database management services, allowing users to store and retrieve data. Exposing these servers could allow attackers to access or modify sensitive database content.
- Email and Authentication Servers including Ident, Pop3Pw, Radius, and Sieve. These servers provide email or authentication services to clients. Exposing these servers could allow attackers to obtain user credentials or access sensitive email content.
- Miscellaneous Servers including Beanstalkd, Bitcoin, CHARGEN, Cisco IP SLA, CmRcService, DICOM, DICT, DigiADDP, ElF.exe, HPPjl, IEC60870-5-104, MSRPC, Monero P2P, Mumble Server, Netis Server,, Omron FINS, PCP, ProConOS, QOTD, Reverse SSL, RocketMQ Broker, Sentinel RMS License Manager, StatsD, svnserve, Terraria, TP-Link Smart Home, Zebra Server, and ZooKeeper. These servers provide a wide range of specialized services, including remote procedure calls, encryption, printing, voice communication, and image management. Exposing these servers could allow attackers to execute code, intercept communication, or gain unauthorized access to applications.
Some examples of attacks that have used these protocols include:
- In July 2024, a newly discovered vulnerability of the Radius Server protocol, cataloged as CVE-2024-3596, allowed attackers to forge authentication responses, enabling meddler-in-the-middle (MitM) attacks. [Source 1, Source 2]
- In 2018, a variant of the Mirai malware dubbed “OMG” exploited the SOCKS protocol to target vulnerable IoT devices and turn them into proxy servers. [Source]
- In 2017, a vulnerability in Firebird SQL Server allowed remote attackers to execute arbitrary code. [Source 1, Source 2]
- In 2023, various versions of ShellBot malware leveraged the IRC protocol to create DDoS attack bots. [Source 1, Source 2]
- The CharGEN Server protocol has been exploited multiple times for amplification attacks and DDoS attacks. [Source 1, Source 2]
Advance discovery of these servers is critical because it allows your organization to quickly respond to vulnerabilities or attacks that target one or more of these server protocols. Securing your use of server protocols is a crucial component in protecting against various types of cyberattacks. While no system can be completely secure, having a robust cybersecurity infrastructure in place that includes the discovery of these protocols can significantly reduce your exposure to a potential attack.
By regularly scanning all 65,000 ports across all IPv4 addresses, Xpanse is able to provide an unparalleled assessment of potential attack surface risks. This expanded coverage ensures that even non-standard ports, often targeted by attackers, are now closely monitored.
To learn more, visit Cortex Xpanse