Among the filters of Asset Search provided by Criminal IP (hereinafter referred to as CIP) is ssl_issuer_organization. Using this filter, you can check which institution’s certificate was signed by an SSL protocol such as https. When we look at the SSL certificate of criminalip.io below, for example, “Verified by” is noted as “Sectigo Limited(formerly Comodo CA)” which implies that Comodo SSL certificate was used.

If you want to find certificates signed by Sectigo, you can search for it on Asset Search as follows. Here, we can see that hundreds of IP addresses are found since Sectigo is a prestigious certificate institution.

ssl_issuer_organization:sectigo

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)

Criminal IP’s SSL Certificate: “Verified by” is noted as “Sectigo Limited”

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)

A result when searched IP address signed with “sectigo” certificate on Criminal IP’s Asset Search

How to Use ssl_issuer_organization Filter to Search for “Red Hat Satellite”

Using the same logic, let’s search for Red Had Satellite, a remote management system that distributes, organizes, and maintains systems across physical, virtual, and cloud environments. Satellite is a simple and convenient system as it provides provisioning, remote management and monitoring for multiple Red Hat Enterprise Linux distribution, using a single centralized tool. However, it is also the system that causes the most serious problem if exposed to the attack surface because it can be controlled externally. To search for Red Hat Satellite, you can input a certificate named “Katello.”

ssl_issuer_organization:Katello

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)

Search result of ssl_issuer_organization:Katello on Criminal IP’s Asset Search

Here, you can check the SSL Certificate reflected in the https 443 port and Katello from Issuer Organization. If you open a browser and access it with the corresponding IP address, you will see the following the Red Hat Satellite’s remote management system. If an authentication attack is launched, attackers can penetrate inside the system and execute remote commands to the servers: this can be an especially dangerous misconfiguration in terms of attack surface management.

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)

Red Hat Satellite’s management system page

In some cases, Foreman (as shown below) appears instead of Red Hat Satellite. Because Foreman is also an open source application used for provisioning and lifecycle management in physical and virtual systems, it is considered a front-end system used in conjunction with the Red Hat family: Foreman is also in a dangerous state of being exposed to the attack surface like Red Hat Satellite.

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)

A front system used with the Red Hat family Foreman’s administrator page

As a reference, below is the screenshot of a certificate signed with Katello.

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)

Screenshot of the certificate signed by Katello

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)

Screenshot of the certificate signed by Katello


This article is written by drawing on data from Criminal IP, a cyber threat Intelligence search engine. Create free Criminal IP beta service account today to see the search results cited in the report and search for more extensive threat Intelligence. [Announcement] Criminal IP Global Beta goes live!

Reference : ExploitWareLabs