Research offers cyber defenders view of which POC exploits are being shared and distributed by threat actors.
Approximately 12,000 references to shared Proof-of-Concept software exploits were generated over the last year, with significant distribution amongst threat actors and researchers, according to a new report.
This represents nearly a 200% increase in POC references compared to 2014, culled from a wide range of sources including social media, security researcher blogs and forums, hacker chats and forums, and hidden websites on the Dark Web, according to Nicholas Espinoza, senior solutions engineer with Recorded Future, and an author of the report Prove It: The Rapid Rise of 12,000 Shared Proof-of-Concept Exploits.
Approximately 12,000 references to POCs were identified within Recorded Future’s dataset from March 22, 2015 to the present. For a defender that’s a lot of vulnerabilities and attack vectors to track, Espinoza says.
The threat intelligence company gleans POC information from hundreds of thousands of sources and ingests the data into its intelligence platform to make it more searchable.
Proof-of-Concept code is typically developed by security researchers, academics, and industry professionals to demonstrate possible vulnerabilities in software and operating systems, and to show the security risks of a particular method of attack. Malicious hackers develop and exploit the code to attack vulnerable applications, networks and systems.
“With 12,000 conversations occurring about Proof-of-Concept exploits, there is certainly just too much information to cover,” Espinoza says. Many security and product vendors will inform customers when vulnerabilities are discovered in their software and provide patches to fix them. The more difficult discussion, though, is to determine which of the 100 vulnerabilities on my system, are exploitable, Espinoza says.
Vendors try their best to maintain situational awareness and organizations such as the National Institute of Standards and Technology are working to track and identify vulnerabilities that have the “existence of exploits.” However, POC exploits are developing “at such an insane speed there is no one to manage it,” says Espinoza. A lot is being missed and only being reported, in many cases, a week or so after the exploit is in the wild, he says.
Shared Via Social Media
The report shows that POCs are disseminated primarily via social media platforms such as Twitter. Users are flagging POCs to view externally in a range of sources including code repositories like GitHub, paste sites like Pastebin, social media sites such as Facebook and Reddit, and Chinese and Spanish Deep Web forums, according to the report.
Sharing of POCs makes sense because researchers and others who want to make the findings public need to share their information in public-facing and high-visibility forums. “There’s a significant “echo” effect seen in the data, though, with other users retweeting or re-syndicating original content with a slightly different tweet,” the report says.
Vulnerabilities that allow initial system access through privilege escalation and buffer overflow attacks are the primary focus of POC development, research indicates.
The primary POC targets are companies that create popular consumer software and products such as Adobe, Google, Microsoft and VMware. The underlying technologies being targeted include smartphones, office productivity software as well as core functions in Microsoft Windows and Linux machines such as DNS requests and HTTP requests.
Some of the top POC vulnerabilities discussed or shared over the past year include:
- GNU C Library vulnerability that allows buffer overflow attacks through malicious DNS resources (CVE-2015-7547 (glibc)).
- Microsoft Windows Server vulnerability allowing remote code execution. (CVE-2015-1635 / MS15-034).
- Microsoft Windows Server vulnerability allowing local privilege escalation. (CVE-2016-0051).
- Virtualization platform vulnerability allowing the execution of arbitrary code to escape virtual machines. (CVE-2015-3456)
- Windows Remote Procedure Call vulnerability allowing local privilege escalation. (CVE-2015-2370 / MS15-076).
The report helps “shed light on not just the classes of vulnerabilities out there, but what is the active interest in the threat actor community,” says Rodrigo Bijou, an independent security researcher focused on intelligence, information security, and analytics
“It’s tough to say what is signal and what is noise when you are building a threat intelligence environment, pulling feeds from all the vulnerabilities of the day,” he says. For example, a security engineer might find a vulnerability that has a common vulnerability score of 10, which appears critical. “It might look like a gnarly vulnerability, but is it being exploited and have an interest in the threat actor community?”
“It is hard to say what vulnerabilities are necessarily in use until you actually take a look at the adversary.” So it is useful to see what is being distributed by the various types of threat actors, Bijou says.
Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio