In Episode 2 of Censys ARC Flash, Principal Security Researcher Silas Cutler and VP of Research, Security and IT Michael Schwartz discuss recent Iran-linked targeting of critical infrastructure, exposed industrial control systems (ICS), the cPanel/WHM CVE, and Internet-exposed MCP infrastructure.
Silas:
I’m Silas Cutler. I’m part of the Censys ARC team. I’m joined this week by Michael Schwartz, who is the VP for ARC Security and IT, so this is episode two. As we stated before, this is a bi-weekly, now monthly (and potentially next month a different structure) as we explore the the wild world of the Internet. So this week, we’ve got three topics on deck. We’re gonna talk briefly about Michael’s SANS ICS talk where he looking at ATGs and their Internet exposure, we’re diving in a little bit to the cPanel WHM exploitation that we talked about in a recent rapid response report, and then wrapping up with MCP research.
Michael:
Fantastic.
Silas:
So let’s kick it off.
Michael:
Yeah, let’s kick it off. I had a little talk at this SANS ICS summit. It was part of — I guess it’s the open part of the summit. I think it’s going on throughout the week as well. And this all stemmed from some research that I was assisting Ariana Mirian with last last year, and we were we were doing a larger sort of gas utility report. And we were looking at the ATG protocol. So it’s automatic tank gauging. It’s an old protocol. I think it was created by Veeder Root back in the like mid ’80s. And it was in response to the EPA producing new rules. It says you need to monitor for underground storage tank leakage. And so this is so the protocol was developed, but the system was developed with modems in mind. There’s no authentication or anything like that. So today, fast forward to: these things are now on the Internet. And it’s interesting — when our protocol scanner hits it, it just goes like, “here’s everything that you need.” And it’s basically the name of the fueling station, the address, if it’s programmed in there, and the amount of fuel in tanks or something in tanks with the amount of water that’s in there and the temperature, et cetera. So it’s a bunch of information, but generally like it’s sort of like, who cares? Like, I don’t care.
What if someone comes by and modifies it? It’s like, I don’t know, for a single gas station — not a big deal. And I was thinking about this for a while because I’ve also seen — what I saw a year ago was ATG in combination with other services that was really interesting to me. Specifically Hikvision cameras and DVRs, exposed to the Internet. And these were all new fueling stations that I’ve driven past on the interstate. So it’s like I know where they are, and these are brand new. So this must be a vendor that’s deploying them this way. And if they’re deploying this way, and sometimes in default configured states, it’s like, I bet you these are connected to internal networks, right? One singular network. And I was like, that’s gonna be a problem. So this research was an extension of that. I got an opportunity to look at this data set again. And it was relevant because of recent reporting from CNN talking about how Iranian threat actors are targeting ATG to modify things. I was like, that’s not the biggest risk. The biggest risk is everything around it that can be compromised. It’s not the ATG, it’s the cradle points, you know, it’s the unsecured serial to Ethernet devices that are just sitting there waiting to be exploited. But then again, it’s like we only see 4,000 of them. And I think there’s around 123,000 fueling stations, convenience stores slash fueling stations in the United States. Well, four thousand is insignificant, in that totality. So it’s like, what else is going on?
Silas:
Interesting. Did you notice that by brand, because you said some of the newer sites that were coming up…
Michael:
Yeah, so there’s definitely some clusters in the analysis where I saw specific truck stops that were configured in certain ways. So I wanted to see if I could do a clustering analysis to see if they had, you know, the same port protocol distribution over the same Internet provider. So a lot of Verizon LTE, which becomes really difficult with attribution. But in this particular case with ATG giving me addresses and names of fueling stations, I can then say, like, well, this cluster, this deployment belongs to this company. And this company either themselves or had a third party do the integration. Which was super cool, because usually we can’t do that. We just see Verizon LTE device and some ICS protocol, and you’re kind of like, I don’t know, it’s got an HMI on it.
Silas:
Yep. Yeah, Himaja and Emily talked about it last last episode because they were also running into the same problem with these LTE devices.
Michael:
So it’s one of the few times where we have some data to say, yeah, it belongs to you. And then in another case, there is a particular ASN, Cybera C-Y-B-E-R-A, that I saw. And when I Google searched it, it was like, this is a Canadian marketing companies. I don’t know. I don’t think so. It doesn’t make sense. Went to Hurricane Electric Looking Glass, just inspected the ASN a bit more. And on the Who-is, there was a Who-is for PDI technologies, petroleum MSSP.
And so they provide the full suite of services. Like we’ll set up everything for you, even do the cybersecurity for you as well. And they have their own ASN. So this helped a lot as well, because then when you see ATG on Cybera, you’re like, okay, that is a particular fueling station, but then that’s now managed by Cybera. Which I found interesting — I didn’t know that there was petroleum MSSPs to sort of give you the whole kit and caboodle.
But I’m still left here going, like, where’s the other 120,000 stations? Are they doing something — well, they have to be doing something different — but it’s like, do they have a different system that’s not ATG anymore? ATG may be old — or are they still on modem? We don’t see them? Or are they still doing — are they on some AWS thing where it’s like, yeah, it’s a push model where they’re just doing a push up to some cloud resource, et cetera?
Silas:
Yeah, I wonder if the ATG model of what we see now is almost like the self hosted equivalent to some third party service where they’re pushing all the data up.
Michael:
Yeah. So, interesting overall again, like the the four thousand exposed and with Iranian threat actors running around trying to tweak things. It was like, in my assessment, I don’t think it’s a critical risk. The more critical risk is all the other unsecure services running around it, that it’s like, those are more of a problem. We need to go look at those because I’ve seen them in a deployed state unconfigured, unpatched.
Silas:
Yeah, I mean especially with ATGs, I wonder how much of that — ’cause I’ve seen some things the Iranian actors in the past where they’re they’ve gone after like Redis or MQTT and pushed values through those pipelines trying to override values, but they get reset by the actual systems behind it being like, oh, here’s the new updated number…
Michael:
Yeah. I was saying, there was I think roughly seventy service — seventy hosts running TFTP. Just waiting for files. So I don’t know if it’s just wait, if that’s a way to update firmware on these systems, or that’s just a way that log files are exchanged. But it’s, you know, the stuff’s in there, all unauthenticated. So fantastic.
Silas:
Classic.
Michael:
All right, let’s — you mentioned cPanel WHM. Let’s talk a little bit about that. There was the critical pre auth bypass in that. Why is this so important in today’s world?
Silas:
Yeah, so this was an interesting vulnerability. So, this wasn’t one of the rapid response. I wasn’t working on this rapid response, but I spent a lot of time tracking this pretty closely because what was really interesting to see is this was one of the first vulnerabilities that I was really involved in that I saw active, like, the heavy reliance on AI for a lot of the secondary development pathways. So it was looking at not only just cPanel, but let’s dive further into this. Let’s see what additional ways that we can move around the existing patches were coming out.
It was also interesting just watching sort of the the clock roll forward as the vulnerability started to be disclosed because, like, people had heard that there was something going on — because I think it was like early-midweek when we first started looking at it — but then on Friday afternoon, I know it was like Mark and myself that were going pretty heavily trying to see what the actual impact of it was. And I remember when he tagged into the chat that he’d seen a whole bunch of hosts that had been, you know, had an open web directory and then like, later that day, all of a sudden all the files have been replaced by matching files of identical names, but with a .sorry extension at the end. So someone had pretty rapidly weaponized this into using it for more ransomware operation. And I remember I Google searched .sorry just trying to find out any information because I’ve seen it a couple of times as an extension, but file extensions aren’t fantastic for attribution with ransomware. And it was a wall of victim sites that had been hit by this ransomware, like in the hours after the vulnerability had come out.
Michael:
And for all of those on the call, cPanel is important because it does what?
Silas:
Yeah, so cPanel is like a server admin tool. Like, it’s designed for — my perspective is it was designed for people who needed to administer a server but didn’t want to SSH into it and edit config files manually. So it allows you to essentially run a Linux server from DNS all the way up to web services, through a web interface. You could turn on email services through cPanel, and it gives you that kind of like, full server management experience. There’s also WHM, hhe web hosting manager, which is like an add-on service. So if you’re actually running a hosting company, you can use WHM to serve and allow people to purchase and resell the service as well. So see it used a a number of different hosting companies, especially hosting companies that have been around for, you know, 10 plus years. WHM was the standard for what folks use. So there’s a lot of sensitive infrastructure behind it and it’s a big attack area.
Michael:
I checked the numbers yesterday. We have fingerprinted 4.6 million instances of cPanel and 1 million of WHM. Just to give you some scale of how much is out there.
Silas:
It it is huge.
Michael:
It is relatively big.
Silas:
Yeah. And I mean, secondarily to this, like I think one of the things that definitely was concerning about this as well and will continue to be is the, like, this is a big target surface on the Internet and seeing people recognize the “okay, you know, there’s fifty other bug hunters that I’m talking to that are also all going after cPanel. I’m gonna start looking at what are the adjacent pieces of software.” So I think we’re gonna see a summer more of these types of — not legacy software, but at the intersection of legacy and critical — continue through the summer.
Michael:
You mentioned one thing and I wanna hit on this thing before we move on to the next one because I think they’re related a bit. You talked about AI development pathways that you were observing. Can you detail that a little bit more?
Silas:
Yeah, So I’ve had this with some of the vuln research that I’ve done on like, malware panels where like, there are certain parts we’re all focusing on. So for example, with cPanel, this was tied into the actual authentication workflow for logging into the administrator panel. I think there was also like an API component as well for it, where there were some other areas, but branching off that entirely, but saying, “I’m not gonna focus on the authentication side, I’m gonna focus on how services are deployed and look for potential vulnerabilities in there, like that side of the application” — that’s where I saw a lot of the bug bounty folks and just bug hunters in general kind of crushing against cPanel like a wall and looking for any accessible surface that wasn’t being looked at. So hopefully it turns into a really good security audit for them and the stuff gets patched.
Michael:
Yeah. But with the continuous release of more advanced models going out and evaluating a lot of these open source frameworks or these toolings that, hey, if you have four point six million examples of them, it’s pretty dang easy now with the right harnesses. Not even the right harnesses, so you could just point and click.
Silas:
Yep. I think though, like, the as the software goes through these cycles — ’cause I’ve been looking pretty heavily at Sliver the past few days — it seems like everyone has taken a swing at Sliver at least once at this point, and it is fairly well hardened. And there was one memory corruption bug that I was like testing and poking at a little bit to see. And no matter how hard I tried, it would crash a single local thread, but as software goes through the the cycles of these things, we’re gonna see more secure software in the end.
Michael:
Yeah. Fantastic. What’s next on the agenda?
Silas:
Last one is MCP research. Yeah, so Mark put out a this report — was it last week he put out this report? The twenty seventh.
Michael:
Yeah. So yeah, a few weeks ago now.
Silas:
Yeah, so really cool highlight of this was from our scanning we identified 12,520 Internet accessible MCP services across 8,758 unique IP addresses. This was super cool to see because the last time that I’d seen really good research about what the state of MCP deployments looked like — actually came from the team over at Knostic with Gadi and that crew. And they did that research back in 2025. And I think their numbers at the time — Let me pull those up.
Michael:
We have notes here about 1,800 servers.
Silas:
Yeah, 1,800. So already we’ve seen like a, you know, from 1,800 to 11,000 — that’s incredible growth.
Michael:
Well, if you go — I think Mark specifically closed this out in the blog, like his numbers are from mid April, too, of like right around when we deployed the new scanner from MCP. Insane. I looked yesterday, I gotta update these numbers, and I think we’re gonna have a little bit of a problem with honeypots here and our honeypot detection. But now it’s like two million.
And so it’s like is that right? Is it not right? So there are some honey pots now being being stood up to to mimic MCP.
Silas:
I mean, though the thing is is there’s still a lot of software. And it’ll be curious to see how the honeypot deployment grows on this. Cause like, if you look at something like glasstop is a honeypot I used for years. Those honeypots are hard to hard to detect because they generate such a variety of data, but you can detect them because you’ll see like five different server headers and things like that where it’s like, there’s not enough content overlap.
If you have something like an agent analyzing the actual structure of the MCPs that are coming back, that might be interesting way to combat some of those honeypots. But it looks like already, just from what we’re seeing, I see LangGraph is pretty heavy on the list of the top ten MCP server names. So there is at least a lot of legitimate software that we’re able to map to known MCP software.
Michael:
Yeah, I think what’s fascinating here is that the MCPs grow. I’m assuming they’re just gonna grow almost exponentially as more AI tools are produced and leveraged throughout the world. What’s fascinating to me is how MCP servers are either built in or being leveraged by offensive tooling. And so if you think about, you know, Kali Linux having an MCP server, where a skilled operator can have a multitude of Kali MCP servers deployed across DPSs. It’s now that’s it’s little robot armies. And so attacks start looking a little bit crazier when you have one person that can now orchestrate, you know, 20 skilled operators on a target. It sounds a bit terrifying. I know we’ve seen some examples of this in the wild in open web directories, and I’m concerned it’s going to start gaining traction.
Silas:
I mean it’ll be interesting also when you can start measuring attacks and see a period of like, all of a sudden you see a spike of scanning and then everything drops off and then resumes at a five hour interval later as someone’s quota resets.
Michael:
Yeah. That’s also true. Although there’s with, flying around with the new model that came out yesterday. I forgot what it’s called.
Silas:
Fable Five.
Michael:
Fable Five. It looks like some of the licensing is gonna change where it’s like, yeah, you’ll get that, you know, free on this tier until sometime next week and then it’s going to all API consumption. But open source models — I believe the last data points that I saw — are trailing Frontier models by four months. And so, yeah, all bets are off, sort of, now that, you know, open source models, not that far behind. Four months is nothing before this technology is in anyone’s hands, and you can run it on — you could either say consumer hardware or stuff you can go buy yourself, or you can go rent GPU time like, pretty cheap these days and fire up one of these larger models to do some nasty work.
Silas:
It it’s going to be a continual challenge. And I think that the open models like are winning the game right now.
Michael:
Yeah.
Fantastic. I think that’s all we have today. We want to do a quick shout out: the recent blog post, the Ultimate Guide to Detection Engineering with Censys. This is from Alex Gartner. Fantastic resource if you want to get started with utilizing Censys data, in your detection and response process. We have a lot of experience, Silas and myself, in using the data that way, and this is an incredible guide to get you started.
Yeah, appreciate everyone showing up today. The next episode is on July 8th. I know after after that week is FS ISAC Singapore, and we’ll have one of our researchers, Himaja, that was on the last Flash, should be out there presenting some of her bulletproof host research at FS ISAC in Singapore.
Sign up for ARC Flash Episode 3
Get the latest cybersecurity insights from Censys ARC threat researchers and ask your questions live!