Summary:
Researchers have discovered that attackers are swiftly leveraging proof-of-concept (PoC) code to launch real-world attacks. The study involved deploying honeypots mimicking common enterprise appliances, revealing that within six days of the release of PoC code, attackers began exploiting one vulnerability, and within 17 days, they were targeting another. The data showed that exploit scans accounted for 25% of HTTP and HTTPS requests, while actual attacks constituted 19% of traffic to the honeypots. Notably, three botnets—Mozi, Mirai, and Kinsing—were responsible for nearly all the attacks. Companies are advised to assume that attackers can reverse engineer patches and develop their own exploits, even without a PoC. Staying informed about newly discovered vulnerabilities and applying patches promptly is crucial to minimize the window of opportunity for threat actors.
The research also sheds light on the rapid automation of attacks by integrating them into existing botnet infrastructure. Among the traffic attempting to exploit the honeypots, 73% came from the Mozi botnet, 14% from Kinsing, and 9% from Mirai. These botnets primarily target the Internet of Things (IoT) and edge devices, such as managed file servers, mail servers, network gateways, and industrial control systems. Mozi, for example, started infecting network gateways and digital video recording devices but expanded to exploiting vulnerabilities in network gateway appliances. Recent updates to the Mirai botnet have added the capability to exploit bugs in Tenda and Zyxel networking appliances.
The honeypots interacted with attackers to some extent, using a medium-interaction approach that aimed to deceive intruders into believing their exploits had succeeded. However, the honeypots did not go beyond this basic level of interaction. After an exploit attempt, attackers typically ran commands like "wget" or "curl" to download the next stage of the attack. The honeypots, instead of executing the command, attempted to download the subsequent stage for analysis. While the honeypots captured several web shells commonly used by attackers, their medium-interaction nature prevented tracking of subsequent attacker actions.
Researchers’ honeypots detected attacks targeting various vulnerable applications, including Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP. Notably, an attack against Fortra GoAnywhere MFT in the US and UK attempted to upload an undisclosed web shell. Another attack exploited a vulnerability in Fortinet FortiNAC within six days of PoC code release. Researchers highlight the need for organizations to implement proactive measures and promptly apply patches to minimize the opportunities for threat actors.
Threat Profile:
References:
The following reports contain further technical details: