Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/5/2016
10:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Proof-of-Concept Exploit Sharing Is On The Rise

Research offers cyber defenders view of which POC exploits are being shared and distributed by threat actors.

Approximately 12,000 references to shared Proof-of-Concept software exploits were generated over the last year, with significant distribution amongst threat actors and researchers, according to a new report.

This represents nearly a 200% increase in POC references compared to 2014, culled from a wide range of sources including social media, security researcher blogs and forums, hacker chats and forums, and hidden websites on the Dark Web, according to Nicholas Espinoza, senior solutions engineer with Recorded Future, and an author of the report Prove It: The Rapid Rise of 12,000 Shared Proof-of-Concept Exploits.

Approximately 12,000 references to POCs were identified within Recorded Future’s dataset from March 22, 2015 to the present.  For a defender that’s a lot of vulnerabilities and attack vectors to track, Espinoza says. 

The threat intelligence company gleans POC information from hundreds of thousands of sources and ingests the data into its intelligence platform to make it more searchable. 

Proof-of-Concept code is typically developed by security researchers, academics, and industry professionals to demonstrate possible vulnerabilities in software and operating systems, and to show the security risks of a particular method of attack. Malicious hackers develop and exploit the code to attack vulnerable applications, networks and systems.

“With 12,000 conversations occurring about Proof-of-Concept exploits, there is certainly just too much information to cover,” Espinoza says.  Many security and product vendors will inform customers when vulnerabilities are discovered in their software and provide patches to fix them. The more difficult discussion, though, is to determine which of the 100 vulnerabilities on my system, are exploitable, Espinoza says.

Vendors try their best to maintain situational awareness and organizations such as the National Institute of Standards and Technology are working to track and identify vulnerabilities that have the “existence of exploits.”  However, POC exploits are developing “at such an insane speed there is no one to manage it,” says Espinoza.  A lot is being missed and only being reported, in many cases, a week or so after the exploit is in the wild, he says.

Shared Via Social Media

The report shows that POCs are disseminated primarily via social media platforms such as Twitter. Users are flagging POCs to view externally in a range of sources including code repositories like GitHub, paste sites like Pastebin, social media sites such as Facebook and Reddit, and Chinese and Spanish Deep Web forums, according to the report.

Sharing of POCs makes sense because researchers and others who want to make the findings public need to share their information in public-facing and high-visibility forums.  “There’s a significant “echo” effect seen in the data, though, with other users retweeting or re-syndicating original content with a slightly different tweet,” the report says.

Vulnerabilities that allow initial system access through privilege escalation and buffer overflow attacks are the primary focus of POC development, research indicates.

The primary POC targets are companies that create popular consumer software and products such as Adobe, Google, Microsoft and VMware.  The underlying technologies being targeted include smartphones, office productivity software as well as core functions in Microsoft Windows and Linux machines such as DNS requests and HTTP requests.

Some of the top POC vulnerabilities discussed or shared over the past year include:

  • GNU C Library vulnerability that allows buffer overflow attacks through malicious DNS resources (CVE-2015-7547 (glibc)).
  • Microsoft Windows Server vulnerability allowing remote code execution. (CVE-2015-1635 / MS15-034).
  • Microsoft Windows Server vulnerability allowing local privilege escalation. (CVE-2016-0051).
  • Virtualization platform vulnerability allowing the execution of arbitrary code to escape virtual machines. (CVE-2015-3456)
  • Windows Remote Procedure Call vulnerability allowing local privilege escalation. (CVE-2015-2370 / MS15-076).

The report helps “shed light on not just the classes of vulnerabilities out there, but what is the active interest in the threat actor community,” says Rodrigo Bijou, an independent security researcher focused on intelligence, information security, and analytics

“It’s tough to say what is signal and what is noise when you are building a threat intelligence environment, pulling feeds from all the vulnerabilities of the day,” he says. For example, a security engineer might find a vulnerability that has a common vulnerability score of 10, which appears critical. “It might look like a gnarly vulnerability, but is it being exploited and have an interest in the threat actor community?”

“It is hard to say what vulnerabilities are necessarily in use until you actually take a look at the adversary.”  So it is useful to see what is being distributed by the various types of threat actors, Bijou says.

Related Content:

 

 

 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3931
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.