Full Report
When a new asset goes live, attackers start scanning within minutes. Sprocket Security shows how automated attacks move from discovery to compromise in under 24 hours. [...]
Analysis Summary
# Tool/Technique: Automated External Attack Surface Discovery & Exploitation
## Overview
Automated scanning and exploitation is the process by which threat actors utilize global infrastructure to discover, enumerate, and compromise newly exposed internet-facing assets. This technique relies on the "first 24-hour window" where automation outpaces manual security discovery, often resulting in compromise before an organization's security team is aware the asset exists.
## Technical Details
- **Type**: Technique (Active Scanning and Automated Exploitation)
- **Platform**: Cross-platform (Cloud instances, Web APIs, Databases, IoT, and Management Interfaces)
- **Capabilities**: Rapid port scanning, service banner grabbing, TLS certificate pivoting, directory brute-forcing, and credential stuffing.
- **First Seen**: Continuous; documented by Unit 42 and Sprocket Security in 2024-2026.
## MITRE ATT&CK Mapping
- **[TA0043 - Reconnaissance]**
- [T1595 - Active Scanning]
- [T1592 - Gather Victim Host Information]
- [T1593 - Search Open Websites/Domains]
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application]
- [T1110.001 - Brute Force: Password Guessing]
- [T1078 - Valid Accounts]
- **[TA0007 - Discovery]**
- [T1046 - Network Service Discovery]
## Functionality
### Core Capabilities
- **Internet-Wide Global Scanning**: Utilizing services like Shodan and Censys to index assets within minutes of going live.
- **Banner Grabbing**: Automated collection of software versions (SSH, Web servers) to match against known CVEs.
- **Certificate Pivoting**: Analyzing TLS certificates to identify subdomains and related infrastructure.
- **Service Enumeration**: Targeting common management ports (RDP 3389, SSH 22, Admin panels 8080/8443).
### Advanced Features
- **JavaScript Bundle Analysis**: Automated scraping of public JS files to find hardcoded "shadow" API endpoints not listed in official documentation.
- **Database Probing**: Scanning for unauthenticated instances of Elasticsearch, Redis, and Postgres.
- **API Iteration**: Automated scraping of unauthenticated API endpoints using ID or parameter incrementation to dump customer/internal data.
## Indicators of Compromise
- **File Hashes**: N/A (Technique-focused)
- **File Names**: N/A
- **Registry Keys**: N/A
- **Network Indicators**:
- Rapid, high-volume scanning traffic from known scanner IPs (e.g., GreyNoise-identified bots).
- Unauthenticated requests to `api/customernotes/[ID]` or similar backend paths.
- **Behavioral Indicators**:
- Spikes in failed login attempts (RDP/SSH) within 1–6 hours of asset deployment.
- Large-scale directory traversal or brute-force requests originating from various international IP ranges.
## Associated Threat Actors
- **Botnets**: Mirai variants (targeted at IoT/Linux).
- **Initial Access Brokers (IABs)**: Groups that automate the "24-hour window" to sell access to ransomware operators.
- **General Opportunistic Scanners**: Automated scripts scanning for unauthenticated Redis/Elasticsearch instances.
## Detection Methods
- **Signature-based detection**: Identifying known automated scanner User-Agents and signatures.
- **Behavioral detection**: Monitoring for "Impossible Travel" in logins or rapid-fire 404 errors indicative of directory brute-forcing.
- **Honeytokens**: Deploying fake API keys in JS bundles to alert when scraped by automated tools.
## Mitigation Strategies
- **Attack Surface Management (ASM)**: Implementing continuous visibility tools to identify new assets before or at the same time as attackers.
- **Security by Design**: Disallowing "Default Open" firewall rules; ensuring all new cloud instances are within a protected VPC by default.
- **Zero Trust Architecture**: Requiring authentication (MFA) for all API endpoints and management interfaces, regardless of whether they are "hidden."
- **Rate Limiting**: Implementing aggressive rate limiting on sensitive API and login endpoints.
## Related Tools/Techniques
- **Shodan / Censys**: Search engines for internet-connected devices.
- **GreyNoise**: Tool for analyzing "internet background noise" and scanner behavior.
- **Directory Brute-forcing**: Tools like Gobuster or Dirbuster.
- **Credential Stuffing**: Automated high-volume login attempts.