Query Assistant improvements in the Platform and seventeen risks enabled for ASM.
Platform
- You no longer need to click the generate button to convert natural language input into a Censys Query Language query using the Query Assistant. Instead, the query assistant now automatically converts natural language after you enter it.
ASM
The following risks are now enabled for all ASM customers.
| Risk name | Description | Severity |
|---|---|---|
| ATG (Automatic Tank Gauging) Service Exposed | This service is running Automatic Tank Gauging (ATG) protocol used for monitoring fuel tanks and fluid levels in critical infrastructure. ATG systems control fuel distribution, inventory management, and leak detection systems. Exposure allows attackers to manipulate fuel readings, cause environmental damage, or disrupt operations. | Critical |
| OPC UA Service Exposed | This service is running OPC Unified Architecture (OPC UA), a critical industrial communication protocol used for data exchange between industrial equipment, SCADA systems, and manufacturing execution systems. Exposed OPC UA servers allow attackers to read sensitive operational data, modify control parameters, or disrupt industrial processes. | Critical |
| GE SRTP Service Exposed | This service is running GE SRTP (General Electric Service Request Transport Protocol), used for communication with GE industrial control systems, PLCs, and automation equipment. GE SRTP enables configuration, monitoring, and control of critical infrastructure equipment. Exposure allows attackers to access control systems, modify operational parameters, or cause equipment failures. | Critical |
| PCWORX Service Exposed | This service is running PCWORX protocol, used by Phoenix Contact PLCs and industrial automation systems. PCWORX enables programming, configuration, and real-time communication with industrial controllers in manufacturing, building automation, and process control applications. Exposure allows attackers to read/write PLC programs, modify control logic, or disrupt automated processes. | Critical |
| IEC 60870-5-104 Service Exposed | This service is running IEC 60870-5-104, a critical power system communication protocol used for telecontrol and SCADA in electrical power systems. This protocol controls power generation, transmission, and distribution infrastructure. Exposure allows attackers to manipulate power grid operations, cause blackouts, or damage electrical equipment. | Critical |
| MMS (Manufacturing Message Specification) Service Exposed | This service is running Manufacturing Message Specification (MMS), an ISO standard for real-time communication in industrial automation systems. MMS enables communication between SCADA systems, DCS controllers, and manufacturing equipment. Exposure allows attackers to read critical process data, modify control parameters, or disrupt manufacturing operations. | High |
| HART Service Exposed | This service is running HART (Highway Addressable Remote Transducer) protocol, used for communication with smart field devices in process automation. HART enables digital communication with sensors, transmitters, and actuators in chemical plants, refineries, and other industrial facilities. Exposure allows attackers to read process measurements, modify device configurations, or disrupt critical control loops. | High |
| UBIQUITI Service Exposed | This service is designed for Ubiquiti device management and configuration. Ubiquiti devices often have default credentials and known vulnerabilities, making them attractive targets for attackers seeking to gain network access or use devices in botnet attacks. | High |
| NETIS Service Exposed | This service is running the NETIS router configuration protocol. NETIS routers have a well-known backdoor vulnerability (CVE-2014-2321) that allows unauthenticated remote access via UDP port 53413. This backdoor has been widely exploited by malware and botnets for gaining network access and launching attacks. | Critical |
| SSDP Service Exposed | This service is running the Simple Service Discovery Protocol (SSDP), which is part of the UPnP protocol suite. SSDP is a major vector for DDoS amplification attacks with amplification factors up to 30x. It also exposes detailed device information that can be used for network reconnaissance and targeted attacks. | High |
| WS-Discovery Service Exposed | This service is running Microsoft's Web Services Dynamic Discovery (WS-Discovery) protocol used for device and service discovery on networks. When exposed to the Internet, it can be abused for DDoS amplification attacks and allows attackers to gather detailed information about internal network devices and services. | Medium |
| TP-Link Kasa Service Exposed | This service is running TP-Link Kasa smart home device management protocol. Exposed Kasa devices allow unauthorized users to control smart plugs, lights, cameras, and other IoT devices, potentially enabling privacy invasion, device manipulation, or using devices as entry points for further network attacks. | Medium |
| Chromecast Service Exposed | This service is designed for Google Chromecast streaming and control functionality. Exposed Chromecast devices can allow unauthorized users to hijack media streaming, play unwanted content, or use the device as an entry point for network reconnaissance and attacks. | Medium |
| Yahoo Smart TV Service Exposed | This service is designed for Yahoo Smart TV functionality and remote control capabilities. Exposed Smart TV services can be targets for unauthorized access, privacy invasion through camera/microphone access, or incorporation into IoT botnets for DDoS attacks. | Medium |
| IOTA Service Exposed | This service is part of the IOTA distributed ledger technology ecosystem. Exposed IOTA nodes can be targets for cryptocurrency-related attacks, DDoS amplification, or exploitation of node software vulnerabilities. | Medium |
| DCERPC Service Exposed | The Distributed Computing Environment / Remote Procedure Call (DCERPC) protocol is used by many Windows services for remote management, authentication, and service control. It operates by default over port 135/TCP. Exposure of DCERPC services to the internet can allow attackers to enumerate available services, exploit unpatched vulnerabilities, and potentially execute remote code. DCERPC should never be exposed directly to the internet without strict access controls. | High |
| WINRM Service Exposed | Windows Remote Management (WinRM) is a Microsoft protocol used for remotely managing Windows systems via PowerShell and other tools. While powerful for automation and administration, exposing WinRM to the internet is dangerous because it can allow attackers to execute remote commands, especially if using weak or default credentials. It supports basic and NTLM authentication, which can be intercepted or brute-forced, particularly over unencrypted HTTP (port 5985). Without proper safeguards like VPN access, strong auth, and firewalls, an exposed WinRM service is a high-risk entry point for attackers. | High |
