How do they do this? They search for vulnerabilities.

First, they have to know where the compromises are going to be, so hackers look for vulnerabilities in hardware and software. Some of these vulnerabilities (CVEs) are known but not patched. Other times, hackers just get lucky.

To determine where to fish, attackers use tools like masscan. It produces similar results to what nmap produces, but it is much faster. I have heard it described that if nmap is a scalpel then masscan is a blowtorch. Masscan is the fastest internet port scanner. It transmits at 10 million packets per second. (Let me just say, make sure that you know what you are doing before running masscan. It is a good way to get kicked off your hosting provider if you start scanning the internet from your host.)

Using known vulnerabilities with software applications, hardware devices, firmware and the like, they use that data and scan for targets. If you have an application or device that falls into the category (one with a known vulnerability), then you are going to be attacked and compromised.

If you are not savvy enough to utilize the utilities that the attackers are using, there is an internet service called Shodan. Shodan will show you exactly what is out there on the internet and show you what you have as well that the rest of the world is seeing also.

While Google and other search engines index only the web, Shodan indexes pretty much everything else — web cams, water treatment facilities, medical devices, traffic lights, wind turbines, boats, cars, license plate readers, smart TVs, refrigerators, anything and everything you could possibly imagine that’s connect into the internet and other things often should not be connected to the internet. Much like what attackers see when they use tools like masscan.

Services running on open ports announce themselves with banners. A banner publicly declares to the entire internet what service it offers and how to interact with it. While Shodan does not index web content, it does query ports 80 and 443. Other services on other ports offer service-specific information. That does not mean that the published banner is correct. In most cases, it is, and in any event publishing
a deliberately misleading banner is merely security by obscurity.

Utilize these same tools to secure your network.

On a security side you can use these tools to gain knowledge of your own infrastructure and determine what needs to be defended or removed. You can’t play defense if you don’t know what you must defend, and this is true equally at both the enterprise level and society as a whole.

Here is the take away: the attackers are going to attack. If you fit the profile (software application or hardware), you are going to get hit. Just like the other fish that get caught in the net, you are going to get cooked. Research and find your vulnerabilities, patch the required systems when CVEs are announced, and remove outside access to devices that need to be private.