Prove It: The Rapid Rise of 12,000 Shared Proof-of-Concept Exploits
May 5, 2016 • Nick Espinoza
Security researchers, threat actors, academics, and industry professionals all code proof-of-concept (POC) exploits.
These POCs are developed for a few reasons — to demonstrate that software is exploitable, force a company to develop a critical patch, showcase skills, or, in the most malicious cases, claim deniability for developing an easily shared and working exploit that can run on real-world targets by removing a comment or adding some code.
Recorded Future’s real-time threat intelligence product allows analysts access to hundreds of thousands of sources that are normalized, organized, and searchable for analysis rather than simple keyword search.
In this product, we searched for where POCs are developed, discussed, and shared. Within a dataset of this much breadth and depth, there are some interesting takeaways.
- Vulnerabilities that allow initial system access through privilege escalation and buffer overflow attacks are the primary focus of POC development.
- Approximately 12,000 references to shared POCs were generated over the last year showing significant distribution amongst threat actors and researchers, a near 200% increase compared to 2014.
- Consumer software (Microsoft Office and Android devices) and Windows Servers/Linux machines were most targeted for POC development in 2015.
- CVE-2015-3456 (Venom), CVE-2015-2370 / MS15-076, CVE-2016-0051, CVE-2015-1635 / MS15-034 were the most discussed vulnerabilities with POCs over the last year.
We searched Recorded Future for references to shared POCs over the last 365 days:
This query looks for references to any vulnerability, mentions of “proof of concepts” or “poc” (shorthand) in free text, and a URL.
The query surfaced individuals sharing POCs on external sources (e.g., someone on Twitter or a forum linking to their personal blog, GitHub, or Pastebin).
This Recorded Future query surfaces data such as the following:
From the dataset of the previous year, approximately 12,000 references to POCs were identified within our dataset from March 22, 2015 to the present. As a defender, that’s a lot of vulnerabilities and attack vectors to track.
NIST and other sources try to track whether or not vulnerabilities currently have the “existence of exploit,” but threat actors and researchers develop exploits much faster than these sources can reasonably track.
POC Dissemination Platforms
Our research shows that POCs are disseminated primarily via Twitter, with users flagging POCs to view externally in a range of sources — code repositories (GitHub), paste sites (Pastebin), social media (Facebook and Reddit surprisingly), and deep web forums (Chinese and Spanish forums).
|Malware/Vulnerability Technical Reporting||2||0.02%|
This focus on sharing via social media makes sense, as authors and those interested in these POCs need to share their findings in public-facing and high-visibility sources. There’s a significant “echo” effect seen in the data though, with other users retweeting or resyndicating original content with a slightly different tweet.
In content discussing POCs, the primary companies mentioned across the web are those that create popular consumer software and products, such as Microsoft, Adobe, Google, and VMware.
The underlying technologies being targeted in POC development are widespread and high value — smartphones, office productivity software, and some core functions in Windows/Linux machines (DNS requests, HTTP requests, etc.).
And the products related to these technologies being targeted are unsurprising: Android phones, Microsoft Windows 7 and 8, Microsoft Internet Explorer, Linux, GNU C Library (glibc), and Firefox.
The following 10 applications and technologies were most discussed in the last year of POCs:
|CVE-2015-7547 (glibc)||GNU C Library vulnerability that allows buffer overflow attacks through malicious DNS response.|
|CVE-2015-1635 / MS15-034||Microsoft Windows Server vulnerability allowing remote code execution.|
|CVE-2016-0051||Microsoft Windows Server vulnerability allowing local privilege escalation.|
|CVE-2015-3456||Virtualization platform vulnerability allowing the execution of arbitrary code to escape VMs.|
|CVE-2015-2370 / MS15-076||Windows Remote Procedure Call vulnerability allowing local privilege escalation.|
|CVE-2016-2536||Putty SSH/TELNET vulnerability allowing for buffer overflow attacks.|
|CVE-2015-1635||Microsoft Windows Server vulnerability allowing arbitrary code execution via crafted HTTP requests.|
|CVE-2014-1767 / MS14-040||Microsoft driver dangling pointer vulnerability allowing for privilege escalation.|
|Stagefright||Android MPEG4Extractor vulnerability allowing arbitrary code execution or denial of service.|
|CVE-2016-0728||Linux keychain management vulnerability allowing for privilege escalation.|
The top 10 vulnerabilities discussed around POCs are telling as there is a huge focus on Linux boxes and Microsoft Windows Servers due to their widespread use.
In addition, Android’s Stagefright vulnerability was of huge interest to threat actors.
The most popular vulnerabilities with POCs also have a common thread in attack vectors, with privilege escalation and buffer overflow attacks being most valued for good reason.
According to open source intelligence (OSINT) collections by Recorded Future, here are some of the most linked to POCs over the last year:
- CVE-2015-3456 (Venom): https://marc.info/?l=oss-security&m=143155206320935&w=2
- CVE-2015-2370 / MS15-076: https://www.exploit-db.com/exploits/37768/
- CVE-2016-0051: https://github.com/koczkatamas/CVE-2016-0051
- CVE-2015-1635 / MS15-034: http://pastebin.com/raw/ypURDPc4
As a defender, one mistake can mean network compromise. Making data-informed decisions becomes even more difficult as there are huge swaths of information to monitor constantly.
Maintaining real-time situational awareness is becoming more difficult as threat actors move faster, generate and share a greater number of tools, and become harder to monitor.
Over the last year in Recorded Future’s data, we see this trend clearly:
There’s a near 200% volume increase in the references to POCs in 2015 compared to 2014. This trend is almost sure to continue.
In terms of technology to defend — Windows Servers should, and probably do, keep network defenders up at night. In addition, mobile phones have (hello to our old friends, Stagefright and remote access trojans) become increasingly popular targets for POC development.
There’s a focus on developing POCs around privilege escalation and buffer overflow attacks — as these are highly valuable as the first step towards exploitation/installation on a target.
Researchers and malicious actors focus their time on developing POCs for web servers/services and consumer products in the Microsoft Office suite, Microsoft IE, etc. These are used across the commercial, consumer, and government sector widely.
As a network defender using Recorded Future, you can stay on top of this threat landscape and make better-informed patching decisions, limit users access to risky software as necessary, and ultimately harden your defenses around quickly and easily disseminated POCs.
In follow-up posts, I’ll address where this content is coming from, what trends exist around what is commonly discussed there, as well as the individuals generating or disseminating this content.