One of the available filters of Asset Search provided by Criminal IP is ssl_issuer_organization. This filter allows you to determine which institution’s certificate was used to sign an SSL protocol, such as HTTPS. For instance, if we examine the SSL certificate of criminalip.io, we can see that it is “Verified by” Sectigo Limited (formerly known as Comodo CA), which indicates that a Comodo SSL certificate was utilized.

To find certificates signed by Sectigo, you can utilize the ssl_issuer_organization filter in Asset Search as follows. As Sectigo is a reputable certificate institution, a large number of IP addresses can be discovered through this search.

ssl_issuer_organization:sectigo

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)
Criminal IP’s SSL Certificate: “Verified by” is noted as “Sectigo Limited”
Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)
Search results for “ssl_issuer_organization:sectigo” on Criminal IP Asset Search

How to Use ssl_issuer_organization Filter to Search for “Red Hat Satellite”

Applying the same method, we can search for Red Hat Satellite, a remote management system that facilitates the distribution, organization, and maintenance of systems across physical, virtual, and cloud environments. While Satellite offers a convenient solution with provisioning, remote management, and monitoring for multiple Red Hat Enterprise Linux distributions using a centralized tool, it also poses a significant risk if exposed to attack surfaces since it can be controlled externally. To search for Red Hat Satellite, you can utilize the Katello certificate.

ssl_issuer_organization:Katello

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)
Search results for “ssl_issuer_organization:Katello” on Criminal IP Asset Search

Through the search, you can verify the SSL certificate reflected in the HTTPS 443 port and Issuer Organization named Katello. If you access the corresponding IP address via a browser, you will see the interface for Red Hat Satellite’s remote management system. If the system is exposed to the attack surface and an authentication attack is launched, attackers may be able to penetrate the system and execute remote commands on the servers. This type of misconfiguration can pose a serious risk to attack surface management.

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)
Red Hat Satellite’s management system page

In some cases, Foreman may appear instead of Red Hat SatelliteForeman is an open-source application used for provisioning and lifecycle management in physical and virtual systems and is considered a front-end system used in conjunction with the Red Hat family by some experts. Like Red Hat Satellite, Foreman is vulnerable to being exposed to the attack surface.

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)
Foreman’s administration page: A front-end system used with the Red Hat Family

As a reference, below is the screenshot of a certificate signed with Katello.

Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)
Screenshot of the certificate signed by Katello
Search for Remote Management Systems Exposed to Attack Surface Using SSL Certificate Search Feature (ssl_issuer_organization)
Screenshot of the certificate signed by Katello

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]

Reference: ExploitWareLabs