Insights into Malicious Traffic
5.1 Vulnerability Exploitation
Here we classify vulnerabilities into
- server vulnerabilities
- desktop application vulnerabilities
- device vulnerabilities
based on the host environment and business scenario where the vulnerabilities exist. Server vulnerabilities reside in servers’ system services and programs such as email services, HTTP
services, and website scripting language parsing services, which are used to provide or support network management and actual business.
Desktop applications primarily provide document, multimedia and host management functions. Among common applications are various clients (such as browsers and email clients), antivirus software, office software, flash player, and PDF readers. Vulnerabilities in these types of software are frequently exploited. Often they are attacked by malware which spreads through malicious emails or web pages where the user is lured into executing the malware, quickly infecting the target host.
Device vulnerabilities have become an emerging and dangerous threat due to the proliferation of mobile devices and IoT devices globally.
5.1.1 Device Exploitation Still in Full Swing
As shown in Figure 5-1, device vulnerability exploitations account for 43% of all vulnerability exploits. This is because of the substantial increase in networked devices such as smart routers, and internet cameras. As was pointed out in our 2017 IoT Security Report 17, security issues have not been given serious consideration during the design phase of many smart devices. As a result, with their wide adoption, a lot of high-risk devices have flooded the market, most of which are rarely updated or maintained. We find that even though vendors have identified vulnerable devices or provided fixes/ patches for those devices, a substantial number of devices out there are still very vulnerable.
This is attributed to the poor design of upgrade and maintenance mechanisms. After all, unlike traditional PCs, smart devices do not have anti-virus and anti-malware programs available for detection and removal of malicious content. They usually lack mechanisms for automatic firmware updates. Thus, attackers can easily attack at a low cost/risk and achieve high rate of success/reward using simple techniques.
In 2018, device vulnerability exploitations were more rampant than other types of attack traffic. This strongly shows that device vulnerabilities have not been given due attention at all. According to NSFOCUS monitoring data, the following vulnerabilities were most frequently exploited by hackers during attacks:
- Netcore/Netis router backdoor
- D-Link DSL-2750B router arbitrary command execution vulnerability
- Dahua surveillance device unauthorized access vulnerability
- TP-Link wireless router HTTP/TFTP backdoor vulnerability
- D-Link router user-agent backdoor vulnerability (CVE-2013-6026)
- ASUS router firmware Asuswrt LAN backdoor command execution vulnerability (CVE-2014-9583)
- Huawei HG532 router remote command execution vulnerability (CVE-2017-17215)
- Schneider Pelco Sarix Pro webcam import.cgi XML entity injection vulnerability
- Schneider Pelco Sarix Pro webcam session.cgi buffer overflow vulnerability
- Motorola wireless router WR850g authentication bypass vulnerability (CVE-2004-1550)
In February 2018, Pascal Geenens, an information security expert from Radware, analyzed a DDoS attack organization which launched DDoS attacks using a botnet dubbed “JenX” consisting of
IoT devices infected with malware. Specifically, CVE-2017–17215 and CVE-2014-8361 were the vulnerabilities JenX exploited to infect Huawei HG532 routers and devices running Realtek SDK. Unlike Mirai, which is a completely distributed botnet, JenX depends on the malware C&C server for the exploitation of vulnerabilities and zombie management tasks. In July, by attacking the CVE-2017–17215 vulnerability, hackers built a botnet of 18,000 zombies in a single day. We can see that JenX has quite an extensive influence28.
5.1.2 Server Exploitation
Server exploitations account for the largest share of all exploits. From the number of alert logs analyzed, server exploitations were most active in April and May.
Web servers received the most attacks. Most websites hold valuable information such as credit card numbers, email addresses, and passwords, making them very desirable attack targets. In addition, defaced websites are used to further religious or political agendas (see section 5.2 Web Attacks for details).
As shown in the above figure, Windows servers come in a distant second in terms of vulnerability exploitations. Frankly, most vulnerabilities in Windows servers are associated with the SMB and Samba services. The following vulnerabilities were frequently exploited in 2018:
- Windows SMB server information disclosure (CVE-2017-0147)
- Windows SMB remote code execution vulnerability (Shadow Brokers EternalBlue) (CVE-2017-0144)
- Windows SMB transaction parsing remote code execution vulnerability (MS11-020)
- Windows SMB remote heap overwrite vulnerability (CVE-2008-4834)
- Samba remote code execution vulnerability (EternalRed, aka SambaCry) (CVE-2017-7494)
It is the EternalBlue related vulnerabilities (covered by the MS17-010 security update, including CVE- 2017-0144, CVE-2017-0147, and other SMB-related vulnerabilities) that the notorious WannaCry worm was able to exploit and infect a vast number of computers before planting a ransom virus to encrypt files. In August 2018, TSMC, a major semiconductor supplier to Apple’s iPhone, suffered from the WannaCry ransom virus and all production lines were shut down, resulting in a loss of 82 million dollars.
In addition, Petya and NotPetya were the malwares used by FancyBear to steal information. Retefe, WannaMiner, ZombieBoy, and BuleHero all use EternalBlue vulnerabilities in their samples. Also, many APT organizations have now included EternalBlue vulnerabilities exploits in their arsenals, making them one of the most popular vulnerabilities.
5.1.3 Application Exploitation
Attacks exploiting application software vulnerabilities mainly target individual users. Of course, among these users are administrators of core assets. A hacker deploys a malicious program by
sending a phishing email that contains a malicious link or attachment to entice users to click. This, of course, triggers access to vulnerabilities in related applications, leading to infections and information disclosures.
Of all application software exploited, browsers are the favored targets, receiving 56.7％ of all attacks against applications. Among browser applications, Microsoft Internet Explorer/Edge received most of attacks. The following browser vulnerabilities are most frequently exploited for attacks:
- Microsoft Edge ProfiledLdElem type confusion vulnerability
- Mozilla Firefox/Thunderbird/SeaMonkey HTTP response splitting vulnerability
- Microsoft Internet Explorer remote memory corruption vulnerability (MS16-144) (CVE-2016-7287)
- Microsoft Internet Explorer object handling memory corruption vulnerability (MS08-078)
- Microsoft Edge scripting engine remote memory corruption vulnerability (CVE-2018-0773)
Vulnerabilities exposed in Adobe Flash Player, though relatively small in number, are frequently exploited.
- Here are top 5 Flash vulnerabilities in 2018 in terms of exploitation frequency:
- Adobe Flash Player shader buffer overflow vulnerability
- Adobe Flash Player remote denial-of-service vulnerability
- Adobe Flash Player ASnative 301 function NULL pointer reference denial-of-service vulnerability
- Adobe Flash Player 0-day vulnerability (CVE-2018-4878)
- Adobe Flash Player LocaleID determinePreferredLocales out-of-bounds access vulnerability(CVE-2017-3114)
Vulnerabilities in Microsoft Office have been overlooked by users, especially as it is now thought of as a cloud service, but are very popular with hackers. Numerous professional hacking organizations opt to exploit high-risk vulnerabilities in Office to attack key targets. BlackTech, an APT organization, had exploited two vulnerabilities (CVE-2018-0802 and CVE-2017-11882) in the Office equation editor for attacks39. Our monitoring data reveals that the following MSOffice vulnerabilities are exploited the most often.
- Microsoft Word file information block memory corruption vulnerability (MS08-009)
- Microsoft Office remote code execution vulnerability (CVE-2017-8570)
- Microsoft FrontPage Post request remote buffer overflow vulnerability
- Microsoft Office SharePoint Server administrative privilege escalation vulnerability (MS08-077)
- Microsoft Office remote memory stack overflow vulnerability (CVE-2018-0802)
To be continued.