DETECT UNINTENTIONAL DATA EXPOSURE
by using our Deep Web Monitoring

This feature addresses a significant and often overlooked cyber risk: sensitive data leakage. In numerous instances, developers and freelancers inadvertently deposit sensitive configurations, test data, and code into public repositories that can be anonymously accessed. This can potentially include critical data such as usernames, passwords, API keys, client details, and proprietary information about your internal infrastructure.

Such exposure of sensitive data puts your organization at a heightened risk of targeted cyber attacks. Opportunistic hackers can easily scour these public repositories, acquiring valuable data that can be exploited to compromise your systems.

In addition, our product also protects against the threats lurking within specialized search engines like Shodan. These platforms often expose details about potentially unsecured servers, shadow IT, and vulnerabilities within your applications. As a sideeffect you to get an outside view of your attack surface the same way as a hacker would see it without performing any active scans.

In essence, this module provides a robust solution to safeguard your organization against sensitive data leakage and targeted cyber threats, enhancing your overall cybersecurity resilience.

Request Quote Request Demo

Client Testimonials

Extremely knowledgeable and responsive team. The API/partnerships team understood our use-cases and was able to provide a solution that was easy to execute quickly. It is refreshing to work with a vendor that is outcomes-focused and less bureaucratic.
CEO
MSSP Germany
Very comprehensive solution that allows us to process Darknet Threat Intelligence data.
Peter M.
Security Consultant

How do we solve this in Kaduu?

To understand the risks, we search all public available sources in the deep web to locate sensitive data related to you organization or brand. In order to do that, we offer the following modules:

  • Public Cloud Storage Monitoring: Many enterprises continue to leave cloud storage buckets unprotected, even though extensive documentation is available on how to properly secure these buckets. Recent studies have shown that 1 in 5 publicly accessible buckets contained sensitive data (PII). In the past, many buckets have been widely exposed. In Kaduu, you can monitor S3 buckets, but also Azure cloud storage containers for any sensitive data related to your monitored keyword. Some of the most important S3 security risks include for example:
    • Configuration errors or failures that allow malicious users to access sensitive data in S3 buckets
    • Lack of understanding of what data is stored in S3 buckets and if protection for that specific data is adequate
    • Configuration problems that allow bad actors to upload malware to S3 buckets, and potentially create a baseline that they can use for further attacks
  • Code Monitoring: Kaduu allows you to capture search terms and check their publication on publicly available Github, SourceForge, GoogleCode and other repositories. If there is a match, we publish the result with the corresponding link and allow you to automate the analysis of the results. Kaduu connects to the code sharing platforms once per day for each keyword. Any code sharing server can introduce a number of security risks for an organization, including:
    • Data leakage: If an organization uses a code sharing software to store sensitive data, such as source code, login credentials, or customer data, there is a risk that this data may be accidentally leaked through a misconfigured repository or a compromised account.
    • Insider threats: If an organization uses a code sharing softwareto collaborate on projects, there is a risk that an employee or contractor may intentionally or accidentally cause a data breach, for example by committing sensitive information to a public repository.
    • Third-party risks: If an organization uses a code sharing software to collaborate with third-party vendors or open-source contributors, there is a risk that a malicious actor may use this access to gain unauthorized access to an organization’s data or systems.
    • Malicious code injection: If an organization uses a code sharing software to manage their software development, there is a risk that a malicious actor may inject malicious code into the repository, which can then be executed on the organizations systems.
    • Phishing and Social engineering: code sharing servers are widely used for software development and many developers are active on it. Hackers may use phishing and social engineering tactics to gain access to organization’s sensitive information.
    • Compromised dependencies: If an organization uses open-source libraries, they may be unknowingly importing a compromised dependency into their codebase.
  • Google Dork Monitoring: Google hacking, also known as Google dorking, is the practice of using advanced operators in the Google search engine to find security vulnerabilities in websites. These operators can be used to search for specific file types, sensitive information, and other vulnerability-related information. It is often used by security researchers and hackers to find vulnerabilities in websites and networks. There are google Dork lists which can be used in combination with your domain. If any result appears in Kaduu, it means that there is a possible security vulnerability or data exposure in one of the webservices of your organisation. Google hacking can be used to expose a variety of vulnerabilities in websites, including:
    • Sensitive information: Google hacking can be used to search for sensitive information such as credit card numbers, social security numbers, and login credentials that may have been accidentally exposed on a website.
    • Vulnerable files and directories: Advanced operators can be used to search for specific file types, such as .php or .asp, that may indicate a vulnerability in a website’s code.
    • Misconfigured servers: Google hacking can be used to search for servers that have been misconfigured, such as those that have directory listing enabled, which can reveal sensitive information about the server and its contents.
    • Backdoors: Google hacking can be used to search for backdoors, which are small programs that can be used to gain unauthorized access to a system.
    • Open ports: Google hacking can be used to search for open ports on a network, which can indicate a vulnerability that can be exploited by attackers.
    • Exposed databases: Google hacking can also be used to search for exposed databases, which can contain sensitive information such as customer data, financial information, etc
  • Paste Site Monitoring: Pastebin and other similar sites allow users to share text in the form of public posts called “pastes.” Since the launch of Pastebin,many similar web applications called “paste sites” have developed. Pastebin sites are usually used for sharing code. However, any data in text form can also be uploaded and shared. The Pastebin search tool allows users to find relevant content based on keywords. Pastebin also relies on users to report abuse, which means non-compliant ones are rarely removed. This allows hackers to easily and anonymously penetrate data in an accessible location. Pastebin and similar websites are hosted on the Deep Web. This means that they can be viewed in a normal Internet browser, but the content is not indexed by Google and other traditional search engines. Users have to use the internal keyword search function to find specific content, or get paste links directly from other users. There are also paste sites on the dark web that offer increased anonymity via a Tor browser and are focused exclusively on illegal activities. For example, DeepPaste on the Dark Web is mainly used for advertising illegal goods or services. So, hackers use paste sites to prepare attacks or even to anonymously publish data from successful attacks. Therefore, it is important to monitor them. So how are hackers using paste sites?
    • Sharing stolen data: Hackers may use paste sites to share stolen data, such as login credentials, personal information, or confidential business information, with other members of their group or with the public.
    • Storing malware: Hackers may use paste sites to store malware, such as viruses, trojans, or ransomware, that they have created or obtained. This allows them to easily share the malware with others or to distribute it through infected websites or email attachments.
    • Communicating with other hackers: Hackers may use paste sites to communicate with other members of their group or with the public. They may use these sites to share information about vulnerabilities, tools, or techniques, or to coordinate attacks on specific targets.
    • Hiding command and control infrastructure: Hackers may use paste sites to host Command and Control (C&C) infrastructure, which is used to control and manage malware infections. This allows them to easily update malware or to exfiltrate data from infected systems without being detected.
    • Doxxing: Hackers may use paste sites to share personal information about individuals or organizations, known as doxxing, as a form of harassment or intimidation.
    • Phishing Schemes: Hackers might use paste sites to host phishing pages, which they could then use to steal login credentials or other sensitive information from unsuspecting victims.
  • Botnet Log Monitoring: Malware bots and Internet bots are a type of malware that can be programmed to hack into user accounts, search the Internet for contact information, send spam, or develop other malicious activities. To disguise the origin of such attacks, attackers can also distribute malicious bots through a botnet – that is, a bot network. A botnet consists of a number of devices connected to the Internet and running one or more bots without the knowledge of the respective device owner. Because each device has its own IP address, botnet traffic originates from a variety of IP addresses, making it harder to spot and block its point of origin. Botnets also self-propagate to more devices, which can then send out spam and in turn infect more machines. If an IP, host name oder username pops up in the Kaduu logs, it means it has been infected with a malicious bot. So where do we obtain botnet logs? Botnet logs can be obtained in various darknet marketplaces, forums, and websites. These marketplaces and forums are typically used by cybercriminals to buy and sell stolen data, malware, and other illegal goods and services. Some examples include:
  • Passive Infrastructure Vulnerability Detection: Passive Vulnerability Detection is a method of identifying vulnerabilities without actively interacting with the system or network being tested. This is typically done by analyzing system logs, network traffic, or other passively generated data. In case of Kaduu we query databases in the deep web that may contain data on the target. The advantage of passive vulnerability detection is that it doesn’t disrupt the normal operation of the system and can be done without the target’s knowledge. However, passive detection may miss some vulnerabilities that can only be detected through active interaction with the system. For the infrastructure search we need the domain (example.com and not www.example.com) as input. We thus recreate the infrastructure as a hacker will see it, without performing active scans. For all elements found, we then search the deep web again to see if any information about open ports or vulnerabilities can be found. Again, no scans take place.
  • URL Shortener Monitoring: URL shortening services are online tools that take a long and complex URL and shorten it to a much shorter, more manageable length as shorter URLs are easier to remember, share, and type. However, URL shorteners can also be used maliciously by hackers to conceal the destination of a link and trick users into clicking on a malicious or phishing link. A study conducted by Cornell University found that out of 2.2 million URLs, 61% of the URLs used in phishing attacks were shortened links. But the risk is not onlylimited to hackers. Any cloud storage service and OneDrive in particular used to generate short URLs for documents and folders using the 1drv.ms domain. This is a “branded short domain” operated by Bitly and uses the same tokens as bit.ly. Searching by any cloud service domain (dropbox.com, drive.google.com), reveals a lot of downloadable files.

The Benefit

Although IT asset monitoring is used to detect existing vulnerabilities and leaked data, this service is considered a preventive measure. It provides the organization with the same level of knowledge as the attacker, thus helping in attack prevention. For example, if a server appears on the Internet in a server list with noted vulnerabilities, you have the chance to patch it up promptly. And even if sensitive data appears in Git repositories, for example, you may possibly avert the damage if you find the data before the hackers get a hold of it.

More information

Deep Web Monitoring Use Cases

Monitoring using a passive vulnerability detection approach can help companies prevent attacks and detect shadow IT in a number of ways. Here are a few examples:

1. Identify vulnerabilities: By monitoring data sources like Shodan or DNSDumpster, companies can gain insights into the vulnerabilities that exist within their IT infrastructure. This information can be used to prioritize the patching of vulnerable systems, reducing the attack surface of the organization.

2. Detect shadow IT: Passive vulnerability detection can help companies identify unauthorized devices or applications that are connected to their network, otherwise known as shadow IT. This can be achieved by analyzing network traffic or external data about reported systems and vulnerabilities.

3. Early warning system: Passive vulnerability detection can act as an early warning system, alerting companies to potential threats or indicators of compromise. By monitoring data sources for signs of malicious activity or suspicious behavior, companies can quickly identify and respond to threats before they escalate.

4. Compliance monitoring: Monitoring using a passive vulnerability detection approach can also help companies meet regulatory and compliance requirements. By continuously monitoring for vulnerabilities and security gaps, companies can demonstrate to regulators and auditors that they are taking steps to protect their IT infrastructure and sensitive data.

5. Improving security posture: Regularly monitoring for vulnerabilities and shadow IT can help companies to improve their overall security posture. By identifying weaknesses and addressing them in a timely manner, companies can reduce their risk exposure and better protect their sensitive data and systems.

Overall, passive vulnerability detection can help companies to proactively identify potential risks and vulnerabilities, improve their security posture, and respond quickly to potential threats or incidents.

Monitoring code repositories such as Github can help organizations mitigate cyber risks associated with sensitive data disclosure, given the risk of employees or freelancers inadvertently exposing a variety of sensitive data on Github, including:

Credentials: Usernames and passwords, API keys, and other authentication tokens can be accidentally committed to Github, giving unauthorized access to sensitive systems.

Source code: Source code may contain sensitive information, such as hard-coded passwords, encryption keys, or proprietary algorithms, which can be leveraged by attackers.

Personal information: Employee or customer personal information, such as names, email addresses, phone numbers, or home addresses, can be accidentally committed to Github, exposing individuals to privacy and identity theft risks.

Internal documentation: Organizations may inadvertently expose internal documentation, such as system diagrams or architectural plans, that could be useful to attackers.

Configuration files: Configuration files contain sensitive data, such as server and database connection strings or network topology information, which if exposed, could allow attackers to easily identify potential entry points into an organization’s systems.

Logs and backups: Organizations may accidentally commit logs or backups containing sensitive data, such as usernames, passwords, and other data types that could be leveraged by attackers.

Compliance-related data: Sensitive data related to regulatory compliance, such as HIPAA or GDPR, can be accidentally exposed on Github, exposing organizations to regulatory violations.

Get Timely Notifications!

Using Kaduu’s IT-Asset monitoring service, you can create alerts that can be delivered via email in CSV, docx or JSON format, inside the dashboard or via REST API.

“Kaduu’s IT-Asset monitoring is a great tool to prevent cyber criminals from exploiting vulnerable applications or systems as it provides the same level of information available to hackers.”