Attacks/Breaches

5/5/2016
10:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Proof-of-Concept Exploit Sharing Is On The Rise

Research offers cyber defenders view of which POC exploits are being shared and distributed by threat actors.

Approximately 12,000 references to shared Proof-of-Concept software exploits were generated over the last year, with significant distribution amongst threat actors and researchers, according to a new report.

This represents nearly a 200% increase in POC references compared to 2014, culled from a wide range of sources including social media, security researcher blogs and forums, hacker chats and forums, and hidden websites on the Dark Web, according to Nicholas Espinoza, senior solutions engineer with Recorded Future, and an author of the report Prove It: The Rapid Rise of 12,000 Shared Proof-of-Concept Exploits.

Approximately 12,000 references to POCs were identified within Recorded Future’s dataset from March 22, 2015 to the present.  For a defender that’s a lot of vulnerabilities and attack vectors to track, Espinoza says. 

The threat intelligence company gleans POC information from hundreds of thousands of sources and ingests the data into its intelligence platform to make it more searchable. 

Proof-of-Concept code is typically developed by security researchers, academics, and industry professionals to demonstrate possible vulnerabilities in software and operating systems, and to show the security risks of a particular method of attack. Malicious hackers develop and exploit the code to attack vulnerable applications, networks and systems.

“With 12,000 conversations occurring about Proof-of-Concept exploits, there is certainly just too much information to cover,” Espinoza says.  Many security and product vendors will inform customers when vulnerabilities are discovered in their software and provide patches to fix them. The more difficult discussion, though, is to determine which of the 100 vulnerabilities on my system, are exploitable, Espinoza says.

Vendors try their best to maintain situational awareness and organizations such as the National Institute of Standards and Technology are working to track and identify vulnerabilities that have the “existence of exploits.”  However, POC exploits are developing “at such an insane speed there is no one to manage it,” says Espinoza.  A lot is being missed and only being reported, in many cases, a week or so after the exploit is in the wild, he says.

Shared Via Social Media

The report shows that POCs are disseminated primarily via social media platforms such as Twitter. Users are flagging POCs to view externally in a range of sources including code repositories like GitHub, paste sites like Pastebin, social media sites such as Facebook and Reddit, and Chinese and Spanish Deep Web forums, according to the report.

Sharing of POCs makes sense because researchers and others who want to make the findings public need to share their information in public-facing and high-visibility forums.  “There’s a significant “echo” effect seen in the data, though, with other users retweeting or re-syndicating original content with a slightly different tweet,” the report says.

Vulnerabilities that allow initial system access through privilege escalation and buffer overflow attacks are the primary focus of POC development, research indicates.

The primary POC targets are companies that create popular consumer software and products such as Adobe, Google, Microsoft and VMware.  The underlying technologies being targeted include smartphones, office productivity software as well as core functions in Microsoft Windows and Linux machines such as DNS requests and HTTP requests.

Some of the top POC vulnerabilities discussed or shared over the past year include:

  • GNU C Library vulnerability that allows buffer overflow attacks through malicious DNS resources (CVE-2015-7547 (glibc)).
  • Microsoft Windows Server vulnerability allowing remote code execution. (CVE-2015-1635 / MS15-034).
  • Microsoft Windows Server vulnerability allowing local privilege escalation. (CVE-2016-0051).
  • Virtualization platform vulnerability allowing the execution of arbitrary code to escape virtual machines. (CVE-2015-3456)
  • Windows Remote Procedure Call vulnerability allowing local privilege escalation. (CVE-2015-2370 / MS15-076).

The report helps “shed light on not just the classes of vulnerabilities out there, but what is the active interest in the threat actor community,” says Rodrigo Bijou, an independent security researcher focused on intelligence, information security, and analytics

“It’s tough to say what is signal and what is noise when you are building a threat intelligence environment, pulling feeds from all the vulnerabilities of the day,” he says. For example, a security engineer might find a vulnerability that has a common vulnerability score of 10, which appears critical. “It might look like a gnarly vulnerability, but is it being exploited and have an interest in the threat actor community?”

“It is hard to say what vulnerabilities are necessarily in use until you actually take a look at the adversary.”  So it is useful to see what is being distributed by the various types of threat actors, Bijou says.

Related Content:

 

 

 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
6 CISO Resolutions for 2019
Ericka Chickowski, Contributing Writer, Dark Reading,  12/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When Harry Met Sally
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7690
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-7691
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-8033
PUBLISHED: 2018-12-13
The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitati...
CVE-2018-20127
PUBLISHED: 2018-12-13
An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.
CVE-2018-20128
PUBLISHED: 2018-12-13
An issue was discovered in UsualToolCMS v8.0. cmsadmin\a_sqlback.php allows remote attackers to delete arbitrary files via a backname[] directory-traversal pathname followed by a crafted substring.