Censys Search in Action
1. Uncovering a Spyware Network
Researchers from the University of Toronto’s Citizen Lab used Censys Search to understand a spyware network that was used to target human rights workers, journalists, and activists. Citizen Lab is a research institute that often conducts investigations into the technical practices used to target activists and journalists. As part of this ongoing effort, Citizen Lab set its sights on Candiru, a private sector offensive actor known for selling spyware that can be installed on Apple, Windows, or Android devices. Citizen Lab’s goal was to understand Candiru’s global footprint by mapping out their command and control infrastructure, including IPs, domains, certificates.
Citizen Lab first used Censys Search to find a self-signed certificate associated with Candiru. Their team knew to search for a specific domain: “candirusecurity[.]com” because they had found a 2015 corporate registration filing associated with Candiru. The registration included an email with the same domain: “amitn@candirusecurity[.]com.” This certificate finding was significant because it allowed the team to pivot and use Censys Search’s historical look back capabilities to identify IP addresses that were historically associated with Candiru. The team iterated between IPv4 hosts and certificates, surfacing certificates for over 750 websites that Candiru spyware infrastructure was impersonating.
Citizen Lab was also able to use Censys to find an IP address belonging to a victim of the spyware. After finding the victim and recovering the spyware sample, Citizen Lab was able to pass on the sample to Microsoft. Microsoft then used the sample to identify two previously undisclosed privilege escalation vulnerabilities exploited by Candiru malware, as well as identify more than 100 other human rights defenders, journalists, activists, and politicians who were targeted by Candiru’s spyware.
When recounting this threat hunting investigation, Citizen Lab’s research fellow Bill Marczak underscored the role that Censys played:
“The powerful search functionality and extensive historical data made Censys great to use for attribution. Censys is used in almost every investigation we do.”– Bill Marczak, Citizen Lab
Read Case Study
2. Discovering a Russian Ransomware C2 Network
Censys researchers used Censys Search to uncover credible evidence of a Russian ransomware C2 network. As part of a broad threat hunting investigation, the Censys Research Team generated a report that displayed the top 1000 software products currently observable amongst the over 7.4 million hosts that Censys could see in Russia. Nine of these hosts contained the exploit tool Metasploit, which the team identified using the query: (location.country= `Russia`) and services.software.product=`Metasploit`. Because Metasploit is also used by many legitimate penetration testing teams, Censys wanted to investigate the nine hosts for other indicators of nefarious activity. In doing so, they came across one host (which the team called Host A) with a suspicious Deimos C2 tool. But as that was only one host, they kept digging.
The team identified another host (Host F) with a Posh C2 certificate, and it was this discovery that led to an HTTP response with a malware kit. Using historical analysis, the team determined that the malware kit was attached to a domain from the MedusaLocker group, which CISA has identified as a known ransomware group. With further evidence of callbacks to a bitcoin wallet, the Censys research team was able to determine with reasonable confidence that Host F was indeed a part of a C2 ransomware network.
In regards to Host A, the team went on to locate a host in Ohio that also possessed the Deimos C2 tool discovered on Host A. Leveraging historical analysis once again, they discovered that the Ohio host possessed a malware package with software similarities to the Russian ransomware host that possessed PoshC2.
Find more details about how Censys uncovered the C2 ransomware network, including the specific Censys Search queries that were used, in our full research report.
3. Understanding the Threat Landscape with Mission Critical Intelligence
Censys Search is used by a number of public-sector organizations, including governments from around the world, who are responsible for carrying out mission-critical work. We recently spoke with one of our public sector customers, a top U.S. government agency, about how they use Censys. The agency shared that they sought out Censys because they needed to achieve a more comprehensive view of their threat landscape. Their existing intelligence sources didn’t provide the granularity or the context needed to effectively track critical risk activity. As a result, the agency had trouble gaining a strategic, tactical, and operational understanding of their threat landscape, which created opportunities for threats to go unchecked and which increased risks for sensitive systems and networks.
Since accessing Censys internet intelligence through Censys Search, the agency has been able to more proactively identify threats, ensure resilience with fresh data , and automate their manual processes. Specifically, the agency says that Censys Search has been an essential source of current and historic information, enabling them to track infrastructure both proactively and retroactively. The insights that Censys Search provides have also allowed this agency to gain more confidence in their ability to accurately detect malicious indicators, which allows their teams to identify threats early and take appropriate network defense countermeasures.
You can learn more about how this top government agency uses Censys Search in the case study below.
Read Case Study
4. Identifying Exposed IoT Devices
In addition to serving as a valuable tool for understanding the global threat landscape and conducting threat hunting investigations, Censys Search can also be used by cybersecurity teams to identify vulnerabilities and exposures. For example, an organization can use Censys Search to ask: do we have any internet-connected devices that we aren’t aware of? Any internet-connected device can serve as an entry point to a network if left unsecured.
The Censys Research Team explored this question themselves by using Censys Search to discover internet-connected printers. The team scanned the entire IPv4 space for hosts running Internet Printing Protocol (IPP) using the query services.service_name=”IPP”. They found that there were over 270,000 Censys-visible printers connected to the internet. They were also able to see where those printers were located by adding the attribution “location.country” to their query results.
From there, the team could look at printers associated with specific organizations by adding a CIDR block or a range of IP addresses to their query. You can determine if your organization has printers that Censys can see by adding services.service_name=”IPP” AND ip:184.108.40.206/16 or services.service_name=”IPP” AND ip:[220.127.116.11 TO 18.104.22.168] to your queries.
Check out the research article for more information on how our team used Censys Search to view these IoT devices.
Interested in learning more about how your team can take advantage of Censys Search? We’d love to chat. Visit our contact us page or request a demo to start a conversation!