Attackers are wasting no time in turning proof-of-concept (PoC) code into real-world attacks, according to researchers at Trustwave. In their six-month experiment, they set up honeypots that mimicked popular enterprise appliances and discovered that attackers were exploiting vulnerabilities within a matter of days or weeks after the release of PoC code.
The researchers found that one vulnerability was targeted just six days after the PoC code became available, while another vulnerability was exploited within 17 days. These findings highlight the speed at which attackers can take advantage of published research to create workable exploits.
During the experiment, Trustwave observed that exploit scans accounted for 25% of HTTP and HTTPS requests, while actual attacks represented 19% of traffic to the honeypots. Interestingly, the attacks were primarily carried out by three specific botnets: Mozi, Mirai, and Kinsing.
Ziv Mador, Vice President of Security Research at Trustwave, warns that companies should assume that attackers have the ability to reverse engineer any patch and develop their own exploit, even without a PoC. He emphasizes the importance of staying vigilant and promptly applying patches to minimize the window of opportunity for threat actors.
Furthermore, the research reveals that attacks are being quickly automated by plugging into existing botnet infrastructure. Out of the traffic attempting to exploit the researchers’ honeypots, 73% came from the Mozi botnet, followed by 14% from the Kinsing botnet, and 9% from the Mirai botnet.
All three botnets target Internet of Things (IoT) and edge devices, such as managed file servers, mail servers, network gateways, and industrial control systems. Notably, Mozi initially infected network gateways and digital video recording devices before evolving to exploit vulnerabilities in network gateway appliances.
Allen West, a security researcher with Akamai, highlights the increasing aggression of Mozi in searching for unprotected IoT devices. He emphasizes that security has not historically been a priority for IoT devices, yet they make up a significant portion of the internet landscape. Attackers, particularly the Mirai botnet, have capitalized on this and built their operations around the vulnerability of IoT devices.
To conduct the research, Trustwave’s cybersecurity experts deployed honeypots in six different countries, emulating vulnerable enterprise networks. They collected data from over 38,000 IP addresses and observed various attack attempts. The honeypots interacted with attackers to some extent, using a “medium-interaction honeypot” to simulate successful exploitation. However, the honeypots did not extend the deception beyond that basic level.
The honeypots detected attacks against various vulnerable devices, including Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP. For instance, an attack was detected against Fortra GoAnywhere MFT in both the US and UK, where the attacker attempted to upload a previously unreported Web shell. Additionally, attacks targeted a vulnerability in Fortinet FortiNAC appliance within just six days of the release of PoC exploit code.
Considering the speed at which attackers exploit vulnerabilities, Trustwave suggests that organizations prioritize the patching of edge and IoT devices. However, Ziv Mador also encourages companies to consider deploying honeypots of their own. Honeypots serve as an additional layer of defense, attracting attackers and providing valuable insights into their tactics and techniques.
In conclusion, the research by Trustwave highlights the urgent need for companies to stay vigilant, apply patches promptly, and prioritize the security of their edge and IoT devices. Attackers are adept at turning PoC code into real-world exploits, and organizations must be proactive in their defenses to minimize the window of opportunity for threat actors.