Threat Management, Vulnerability Management
Threat actors quick to exploit proof-of-concept code

A honeypot set out by Trustwave SpiderLabs researchers found attackers using proof-of-concept code six days after its release. (Adobe Stock Images)
A large international honeypot network has shown how at-risk business applications may be targeted by threat actors just days after researchers share details about how new vulnerabilities can be exploited.In one case, researchers observed active exploitation of a high-profile vulnerability on the network six days after proof-of-concept (PoC) code, which outlines how to take advantage of a bug, was posted online.Trustwave SpiderLabs set up the honeypot network covering the U.S., the UK, Russia, China, Ukraine and Poland. Over a six-month period, its researchers collected and analyzed data from more than 38,000 unique IP addresses and downloaded over 1,100 unique payloads served during exploitation attempts.In a Wednesday blog post, researchers Pawel Knapczyk and Wojciech Cieslak said the study’s findings demonstrated how quickly threat actors were leveraging new exploits after PoCs are posted. In February, Fortinet patched a critical FortiNAC bug, CVE-2022-39952. The following week, security researchers released proof-of-concept exploit code for the vulnerability and active exploitation of the bug was seen in the honeypot network six days later.“All the observed attackers used modified versions of the public PoC codes,” the researchers said.“We observed some attackers giving just minimal effort, modifying only the C2 (command-and-control) server IP address, and leaving default names like ‘payload’ in their exploits.”In an email to SC Media, Ziv Mador, vice president of security research for Trustwave SpiderLabs, said while PoCs were a valuable tool for helping security teams harden systems against vulnerabilities, threat actors often took advantage of them to target vulnerable systems that had not yet been patched.“Striking a perfect balance in this scenario can be challenging as even without publicly available PoCs, threat actors can still reverse engineer the patches, develop functional exploits, and communicate or sell them on underground forums,” Mador said.“Restricting access to PoC code may hinder the development of accurate and effective detection measures for identifying and responding to exploitation attempts while the bad guys can still develop and use them.”
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds