We built a Splunk App… and it found Splunk.
Did you lock the front door? Yes.
Did you turn off the iron? Let me check.
Did you destroy that old cloud server you provisioned for testing? Errrr.
Did you get around to securing that software properly? Hold my beer.
Two weeks ago we launched the ThreatPipes App for Splunk.
Here’s a demo in case you haven’t seen it yet.
I’ve loved hearing stories about how you’ve been using it, and what you’ve found.
Lot’s of dodgy SSL certificates, badly configured servers, log matches to threat list intel… and Splunk instances.
Hello, Splunk Web.
Many very old Splunk webs.
With recent updates it’s not as easy as it once was to break into Splunk. Times have changed since admin:changeme, but humans haven't.
Mixed with breached account data, companies hosting on their own domains and the use of service accounts, there are lots of weaknesses you need to be aware of when exposing Splunk to the internet like this.
In short; you probably shouldn’t expose Splunk to the internet.
Or any sensitive enterprise software.
Or internet connected front doors.
Do “smart” irons exist yet?
ThreatPipes Modules relevant to this post
- BuiltWith: Query BuiltWith.coms Domain API for information about your targets web technology stack, e-mail addresses and more.
- Censys: Obtain information from Censys.io
- SHODAN: Obtain information from SHODAN about identified IP addresses.
- WhatWeb: WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices.
- Web Framework: Identify the usage of popular web frameworks like jQuery, YUI and others.
David Greenwood, ThreatPipes Team
Originally published at https://www.threatpipes.com on November 26, 2019.
