Energy companies are blind to thousands of exposed services

Many of America’s largest energy providers are exposed to known and exploitable vulnerabilities, and most security teams may not even see them, according to a new report from SixMap.

Researchers assessed the external attack surface of 21 major energy companies, analyzing nearly 40,000 IP addresses and scanning all 65,535 ports per host. The findings paint a picture of persistent risk, blind spots, and outdated tools.

In total, the companies had 58,862 services exposed to the Internet. About 7 percent of those services, nearly 4,000, were running on non-standard ports, which are not included in the default scans performed by most exposure management tools.

This suggests a lack of visibility, the report says, as many security tools only scan the top 5,000 ports.

Some services known to be vulnerable, like HTTP, SSH, SMTP, and DNS, were found running on ports far outside their defaults. In total, SixMap found 304 vulnerable services on non-standard ports, including 21 CVEs known to be exploited in the wild. These are especially dangerous, the report notes, because security teams may be unaware of the host itself, or unaware that the service is running on the host.

In all, the research uncovered 5,756 CVEs. Of these, 377 are actively exploited by attackers, including well-known groups like Silent Chollima (North Korea), ExCobalt (Russia), and Ethereal Panda (China). The report points out that most CVEs are never exploited, but the ones that are should be prioritized for immediate remediation.

A subset of vulnerabilities were seen across multiple companies. The researchers found 43 unique CVEs that were present in the external attack surfaces of at least 10 of the 21 energy sector organizations evaluated. These are considered systemic risks because they could be used to launch widespread attacks across the industry.

One example is CVE-2023-38408, a critical SSH vulnerability linked to Silent Chollima. It was found in 16 of the 21 companies, often running on obscure ports like 21098 and 41094, making detection even harder. Other shared CVEs include outdated Apache services and weaknesses in web applications.

IPv6 exposure added another layer of risk. Though many organizations believe they don’t have IPv6 assets, every single one of the 21 organizations evaluated has at least one IPv6 address in use, according to the report. Some had more than 30 percent of their hosts on IPv6. Since traditional exposure management tools cannot discover IPv6 hosts, this portion of the infrastructure is often left unmonitored.

One organization stood out with 2,875 CVEs, the highest in the group, due to an old Apache web service running across many hosts and ports. We are left to assume these hosts are shadow IT assets that are unknown to the security team, the report notes.

The findings highlight key weaknesses in legacy security tooling. Vulnerability management products are built to assess hosts and detect vulnerabilities but often scan only the top 1,000 or top 5,000 ports, leaving plenty of room for vulnerable services to exist in the shadows.

SixMap recommends scanning the full port range, gaining visibility into IPv6 assets, and prioritizing CVEs based on risk and known exploitation. Every single exposure is a potential initial attack vector for the threat groups who seek to breach the network, the report concludes.