Threat actors quick to exploit proof-of-concept code

A large international honeypot network has shown how at-risk business applications may be targeted by threat actors just days after researchers share details about how new vulnerabilities can be exploited.

In one case, researchers observed active exploitation of a high-profile vulnerability on the network six days after proof-of-concept (PoC) code, which outlines how to take advantage of a bug, was posted online.

Trustwave SpiderLabs set up the honeypot network covering the U.S., the UK, Russia, China, Ukraine and Poland. Over a six-month period, its researchers collected and analyzed data from more than 38,000 unique IP addresses and downloaded over 1,100 unique payloads served during exploitation attempts.

In a Wednesday blog post, researchers Pawel Knapczyk and Wojciech Cieslak said the study’s findings demonstrated how quickly threat actors were leveraging new exploits after PoCs are posted.

In February, Fortinet patched a critical FortiNAC bug, CVE-2022-39952. The following week, security researchers released proof-of-concept exploit code for the vulnerability and active exploitation of the bug was seen in the honeypot network six days later.

“All the observed attackers used modified versions of the public PoC codes,” the researchers said.

“We observed some attackers giving just minimal effort, modifying only the C2 (command-and-control) server IP address, and leaving default names like ‘payload’ in their exploits.”

In an email to SC Media, Ziv Mador, vice president of security research for Trustwave SpiderLabs, said while PoCs were a valuable tool for helping security teams harden systems against vulnerabilities, threat actors often took advantage of them to target vulnerable systems that had not yet been patched.

“Striking a perfect balance in this scenario can be challenging as even without publicly available PoCs, threat actors can still reverse engineer the patches, develop functional exploits, and communicate or sell them on underground forums,” Mador said.

“Restricting access to PoC code may hinder the development of accurate and effective detection measures for identifying and responding to exploitation attempts while the bad guys can still develop and use them.”

Other exploits caught in Trustwave SpiderLabs honeypot

Aside from the FortiNAC bug, the honeypot network was set up to also analyze the risks posed to other enterprise applications targeted by threat actors, including Fortra GoAnywhere MFT, Microsoft Exchange, Atlassian BitBucket, and F5 Big-IP.

Almost 19% of the web traffic recorded by Trustwave SpiderLabs on the network was malicious, with botnets found to be responsible for over 95% of the malicious traffic detected.

“The primary objective of these attacks was to upload a web shell, enabling attackers to carry out further actions against the potential victims that our sensors were mimicking,” the researchers said.

They found that Mozi, Kinsing, and Mirai botnets were responsible for 95% of the recorded exploit attempts.

“These malware families are the most widespread and their main objective is to exploit vulnerabilities in Internet-connected devices and assemble them into botnets used to either carry out Distributed Denial of Service (DDoS) attacks, or mine cryptocurrencies,” the report said.

Mador said the findings indicated that Mirai, Mozi and Kinsing were the most prevalent botnets that security teams should be aware of.

“Given that Mirai's source code is openly available, any individual with knowledge and skills can potentially utilize it to create their own versions equipped with the latest exploits.”

Mirai is best-known for co-opting Internet of Things (IoT) devices to launch DDoS attacks, while Mozi also infects IoT devices, including network gateways and routers.

Kinsing is a Golang-based malware designed to install XMRig cryptocurrency mining malware onto compromised systems.

In their report, the Trustwave SpiderLabs researchers said threat actors were increasingly using VPN services and “benign” IP addresses belonging to internet service providers which were not linked to previous malicious activity.

As a result, security teams could not rely solely on indicators of compromise (IOCs) as a means of detecting and mitigating attacks. “This evasion technique allows them [threat actors] to bypass traditional IOC-based detection mechanisms,” the report said.