Energy companies overlook numerous exposed services.
A recent report from SixMap reveals that many of America’s largest energy providers are vulnerable to known and exploitable security risks, often without the awareness of their security teams. Researchers evaluated the external attack surfaces of 21 major energy companies, analysing nearly 40,000 IP addresses and scanning all 65,535 ports per host. The findings indicate a landscape marked by persistent risk, blind spots, and outdated security tools. In total, the companies had 58,862 services exposed to the Internet, with approximately 7 per cent, or nearly 4,000 services, operating on non-standard ports that are typically excluded from default scans conducted by most exposure management tools. This lack of visibility suggests that many security teams may not be aware of the vulnerabilities present in their systems.
The report highlights that several services known to be vulnerable, such as HTTP, SSH, SMTP, and DNS, were found running on ports far outside their standard configurations. SixMap identified 304 vulnerable services on non-standard ports, including 21 Common Vulnerabilities and Exposures (CVEs) that are actively exploited in the wild. The research uncovered a total of 5,756 CVEs, with 377 of these being actively targeted by attackers, including notorious groups like Silent Chollima from North Korea, ExCobalt from Russia, and Ethereal Panda from China. Notably, 43 unique CVEs were found across the external attack surfaces of at least 10 of the 21 evaluated energy sector organisations, indicating systemic risks that could facilitate widespread attacks. The report also noted that every organisation assessed had at least one IPv6 address in use, with some having over 30 per cent of their hosts on IPv6, further complicating their security posture due to traditional tools’ inability to discover these hosts.
Categories: Vulnerabilities, Security Risks, Exposure Management
Tags: Energy Providers, Vulnerabilities, Security Teams, External Attack Surface, CVEs, Non-Standard Ports, IPv6 Exposure, Legacy Security, Exposure Management, Systemic Risks