Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/6/2018
02:30 PM
Rami Sass
Rami Sass
Commentary
50%
50%

AutoSploit: Mass Exploitation Just Got a Lot Easier

But the response to the new hacking tool, now readily available to the masses of script kiddies, has been a mix of outrage, fear, some applause, and more than a few shrugs.

Hacking, like any form of security, is a numbers game. Attackers, even very capable ones, are limited in the number of targets that they are able to hit in accordance with the level of resources at their disposable. A larger team can attempt to seek out more targets, pinging them for vulnerabilities, but there are only so many hours in the day to compile lists of potential systems to p0wn and find the right exploit to break into a system and make off with the goods.

Now a new hacking program, AutoSploit, which was released last week on GitHub by a security researcher and hacker who uses the Twitter nom de guerre VectorSEC, is making it easier to erase this balance between resources and capacity.

AutoSploit is an apt name for this new tool, which essentially automates the majority of the hacking process. VectorSEC has combined two existing tools: Shodan.io,  which works like Google for searching out connected devices, and the penetration testing tool Metasploit to create something interesting to some, dangerous to others. Essentially, the program uses the Shodan API for finding potential targets. As VectorSEC explains on his GitHub page, "The program allows the user to enter their platform specific search query such as Apache, IIS, etc, upon which a list of candidates will be retrieved."

Apache, for example, is a very commonly used open source project, which GitHub shows to have over 9 million commits. Being such a large project, many of its libraries are likely to have vulnerable versions that could be exploited, which is where VectorSEC uses Metasploit. Instead of looking up which versions of Apache (or any other project that the hacker wants to target) have known vulnerabilities, AutoSploit uses a "Hail Mary" method to try the system for all possible exploits until it determines that there are no holes in the security, or it hits paydirt. The bad news: because this entire process is automated, it could possibly be used by low-level hackers for great gain. It is safe to say that the thousands of organizations using popular Apache projects such as Struts and Tomcat could find themselves in a world of hurt if their systems are not patched.

Mixed Reaction
So far the response to AutoSploit has been a mix of outrage, fear, some applause, and more than a few shrugs. Many have voiced concern that the tool could change the battlefield of security from a game of bows and arrows to one of carpet bombing, calling VectorSEC wildly irresponsible for putting a cyber weapon of this sort out for public consumption. Although these two tools have been around for some time, it is the combination of them in a single package that has folks worried. Others, like security expert Dan Tentler, point out that by taking two tools that can cause trouble on their own and then combining them in an automated process, VectorSEC has dumbed down the field of hacking.

The idea of people using tools developed by others for carrying out hacks is hardly new. Black markets for exploit kits have been around for years, populated by criminals who lack the proper technical understanding to write the malware themselves. However, by posting his tool on GitHub as open source under a GNU license for all to play with, VectorSEC has taken the hacking of systems to a whole new level with increased availability.

Those who view AutoSploit as a positive measure contend that by making exploitation so easy and available to the masses of script kiddies, it could encourage organizations to really implement solutions that can keep them safe not only from this exploit kit but from more-experienced hacker teams as well.

In the meantime, others in the open source community have stepped up to prevent some of the worst potential damage from AutoSploit. Security expert Jerry Gamblin posted to GitHub his own bit of code that he says will block Shodan from being able to scan your systems. However, it is questionable as to whether this response will be widely used, considering the generally poor performance of the software industry for implementing critical patches when they are announced from the project managers themselves.

Related Content:

Rami Sass is CEO and co-founder of WhiteSource. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity. Before founding WhiteSource, Rami ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
aumickmanuela
50%
50%
aumickmanuela,
User Rank: Strategist
2/7/2018 | 9:57:22 AM
Example
What other examples can you add? Any other projects? 
ragediver24
50%
50%
ragediver24,
User Rank: Strategist
2/8/2018 | 8:34:57 PM
MSF and Mobile
Will this work for mobile devices as well? Since MSF can hack Android on Kali? 
Ram.Sass
50%
50%
Ram.Sass,
User Rank: Author
2/15/2018 | 7:29:02 AM
Re: MSF and Mobile
So the short answer is probably not a big issue for mobile at this point. As far as I know, Shodan searches only for IP addresses, finding the folks who were negligent in adding protections. Mobile only really has an IP when it connects to a router for wifi connectivity. Android, arguably the largest open source project, would probably have quite a number of exploits that could be hit, but I'm not sure that Autosploit would really know how to find the devices, since it is dependent on Shodan for building its target list. I hope that this makes sense. I'll of course be following this story to see how it evolves.
aumickmanuela
50%
50%
aumickmanuela,
User Rank: Strategist
2/7/2018 | 9:57:36 AM
Example
What other examples can you add? Any other projects? 
Ram.Sass
100%
0%
Ram.Sass,
User Rank: Author
2/11/2018 | 11:19:50 AM
Re: Example
At this point, it's hard to tell which projects it will impact most, but we can assume that the most popular ones will be most affected since there are more targets to hit with this wide net approach. For example, a lot of IoT type devices (which are basically small servers) are based on Linux-based toolkits and are rarely if ever patched. What will be interesting to follow is whether this leads to more folks getting on top of their patching ops, although this is unlikely to make it to the airwaves.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3243
PUBLISHED: 2021-04-15
Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its logs, where an attacker can take over the system by through its plugin-running function.
CVE-2021-29448
PUBLISHED: 2021-04-15
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
CVE-2021-30138
PUBLISHED: 2021-04-15
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2021-27112
PUBLISHED: 2021-04-15
LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.
CVE-2021-20288
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...