SpiderFoot HX module now available for Bad Packets® CTI

What is SpiderFoot HX?

SpiderFoot HX is the premium, subscription-based version of the open-source intelligence (OSINT) tool SpiderFoot that offers additional performance enhancements and data visualization capabilities.

What is SpiderFoot HX used for?

SpiderFoot automates the OSINT process by gathering data from cybersecurity-related research resources such as Archive.org, BinaryEdge, HaveIBeenPwned, Spamhaus, urlscan.io VirusTotal, and more. SpiderFoot generates a summarized threat intelligence report for indicators such as:

  • IP addresses
  • Domain names
  • Email addresses

Bad Packets® CTI SpiderFoot HX module prerequisites

How to configure Bad Packets® CTI SpiderFoot HX module

Before you can access Bad Packets® CTI in SpiderFoot HX, you must configure your API key.

  1. Log into your SpiderFoot HX instance
  2. Go to the Configure menu and select Modules…
  3. In the Module Settings dropdown menu, select Bad Packets
  4. Insert your Bad Packets CTI® API key and click Save
spiderfoot_hx_bad_packets_module_configuration_screenshot
Configure your Bad Packets® CTI API key via the Module Settings page

How to run a SpiderFoot HX scan

  1. Open the Scan menu
  2. Click the + icon to start a new scan
  3. Input a target IP address for the scan then click Run Scan Now

Example Use Cases

Opportunistic mass scanning activity continues to target enterprise-grade VPN endpoints such as Citrix (NetScaler) Gateway, Pulse Secure VPN, and Fortinet SSL-VPN servers. Unpatched versions of these products susceptible to vulnerabilities CVE-2019-19781, CVE-2019-11510, and CVE-2018-13379 respectively. These vulnerabilities have been widely observed as the initial vector of compromise for ransomware attacks.

A SpiderFoot HX bulk scan of the following hosts will reveal which specific vulnerabilities were exploited:

156.17.191.239
185.10.68.19
195.54.166.5
213.128.93.199
45.249.91.205
51.77.43.112
60.191.127.245
83.97.20.181

DDoS malware botnets are constantly scanning the internet for vulnerable consumer routers and IoT devices. Using the Bad Packets® CTI module for SpiderFoot HX, you can scan hosts in peer-to-peer (P2P) botnets, such as Mozi, to find out what type of devices are being targeted and exploited.

1.246.223.125
124.119.138.243
176.113.161.93
218.31.3.187
45.161.255.133

Bad Packets® CTI also detects exploit attempts targeting enterprise platforms. The Australian Cyber Security Centre (ACSC) recently published a report detailing a sophisticated state-based actor threat actors targeting vulnerable Microsoft® SharePoint (CVE-2019-0604) and Telerik UI servers.

The example hosts below were detected by our honeypots targeting these vulnerabilities.

185.141.24.103
194.36.191.35
45.9.148.91
64.225.7.138

How to access Bad Packets® CTI in SpiderFoot HX

  1. Open your scans results
  2. Click Browse By… and select Module
  3. Open the Bad Packets module

Need Help?

SpiderFoot HX documentation provides additional installation and configuration resources. Please contact us if you need to purchase a Bad Packets® CTI API key.

About Bad Packets® CTI

Bad Packets provides critical vulnerability data to government CERT teams and ISAC organizations worldwide. We monitor emerging cyber threats targeting enterprise networks, internet of things (IoT) devices, and cloud computing environments.

Bad Packets® CTI is continuously updated with the latest indicators as new threats are detected. A curated feed of exploit activity, malware payloads, and command-and-control (C2) servers used by threat actors is available via our RESTful API endpoint.

Follow us on Twitter for the latest updates.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.