What is SpiderFoot HX?
SpiderFoot HX is the premium, subscription-based version of the open-source intelligence (OSINT) tool SpiderFoot that offers additional performance enhancements and data visualization capabilities.
What is SpiderFoot HX used for?
SpiderFoot automates the OSINT process by gathering data from cybersecurity-related research resources such as Archive.org, BinaryEdge, HaveIBeenPwned, Spamhaus, urlscan.io VirusTotal, and more. SpiderFoot generates a summarized threat intelligence report for indicators such as:
- IP addresses
- Domain names
- Email addresses
Bad Packets® CTI SpiderFoot HX module prerequisites
How to configure Bad Packets® CTI SpiderFoot HX module
Before you can access Bad Packets® CTI in SpiderFoot HX, you must configure your API key.
- Log into your SpiderFoot HX instance
- Go to the Configure menu and select Modules…
- In the Module Settings dropdown menu, select Bad Packets
- Insert your Bad Packets CTI® API key and click Save
How to run a SpiderFoot HX scan
- Open the Scan menu
- Click the + icon to start a new scan
- Input a target IP address for the scan then click Run Scan Now
Example Use Cases
Opportunistic mass scanning activity continues to target enterprise-grade VPN endpoints such as Citrix (NetScaler) Gateway, Pulse Secure VPN, and Fortinet SSL-VPN servers. Unpatched versions of these products susceptible to vulnerabilities CVE-2019-19781, CVE-2019-11510, and CVE-2018-13379 respectively. These vulnerabilities have been widely observed as the initial vector of compromise for ransomware attacks.
A SpiderFoot HX bulk scan of the following hosts will reveal which specific vulnerabilities were exploited:
DDoS malware botnets are constantly scanning the internet for vulnerable consumer routers and IoT devices. Using the Bad Packets® CTI module for SpiderFoot HX, you can scan hosts in peer-to-peer (P2P) botnets, such as Mozi, to find out what type of devices are being targeted and exploited.
Bad Packets® CTI also detects exploit attempts targeting enterprise platforms. The Australian Cyber Security Centre (ACSC) recently published a report detailing a sophisticated state-based actor threat actors targeting vulnerable Microsoft® SharePoint (CVE-2019-0604) and Telerik UI servers.
The example hosts below were detected by our honeypots targeting these vulnerabilities.
How to access Bad Packets® CTI in SpiderFoot HX
- Open your scans results
- Click Browse By… and select Module
- Open the Bad Packets module
About Bad Packets® CTI
Bad Packets provides critical vulnerability data to government CERT teams and ISAC organizations worldwide. We monitor emerging cyber threats targeting enterprise networks, internet of things (IoT) devices, and cloud computing environments.
Bad Packets® CTI is continuously updated with the latest indicators as new threats are detected. A curated feed of exploit activity, malware payloads, and command-and-control (C2) servers used by threat actors is available via our RESTful API endpoint.
Follow us on Twitter for the latest updates.