Blog

Turning Criminal Forum Exploit Chatter Into Vulnerability Risk Analysis

Posted: 25th May 2016
By: LEVI GUNDERT
Turning Criminal Forum Exploit Chatter Into Vulnerability Risk Analysis

Editor’s Note: Some of the analysis featured in this article utilizes real-time intelligence from our new Vulnerability Intelligence Cards™. With this summarized data you can assess, prioritize, and remediate vulnerabilities with much greater speed and confidence to reduce your risk. Find out more in the “Threat Intelligence Use Cases” section of our website.

Key Takeaways

  • Recorded Future’s programmatic identification of exploit chatter for vulnerabilities leads to improved remediation prioritization. This prioritization is based on evidence-based assessment of increased adversary intent and/or capabilities.
  • Recorded Future’s foreign natural language processing (NLP) adds significant value to vulnerability assessments by providing insight into criminal forums and vulnerability discussions across the globe.

Analysis Summary

Vulnerability management teams waiting on formal CVE releases or specific remediation guidance from vendors are at a disadvantage.

Using threat intelligence from the web, we present four recent vulnerability examples where enhanced exploit detection assists with improved risk assessments and remediation guidance:

  • Java Object Serialization Flaw: POC code being discussed and distributed on Chinese language forums weeks prior to a CVE being assigned.
  • Apache Struts 2 Remote Code Execution: POC code being distributed in Chinese two days after vulnerability announcement.
  • JScript9 Memory Corruption Exploit: POC code appearing for sale years after initial disclosure indicates continued interest in an older vulnerability.
  • PHP 7 OPcache Vulnerability: A Chinese language tutorial on exploiting the OPcache functionality in PHP 7 to remotely place a web shell for persistence signals increased risk of future exploitation.

Introduction

Formal vulnerability announcements are lagging behind the open web, which means vulnerability management teams end up scrambling to internally educate and patch.

Rather than wait for official vendor vulnerability announcements, teams can accelerate the process by using automated analysis and foreign natural language processing (NLP) tools to search for, and alert on, proof-of-concept (POC) exploit tutorials, tools, and chatter in criminal forums on the web.

Words are powerful, and intricacy in sentence structure conveys nuanced meaning.

A programmatic NLP solution (like Recorded Future) for capturing intent and capability from the web, especially in foreign languages, is valuable when a fixed noun (vulnerability title or CVE number) is present.

Properly used, such a solution can dramatically assist vulnerability management teams with rapid response and prioritization, as we’ll demonstrate in the following relatively recent four examples:

  • Java Object Serialization Flaw: Multiple CVEs corresponding to multiple applications
  • Apache Struts 2 Remote Code Execution: CVE-2016-3081 (S2-032)
  • Microsoft Internet Explorer 10 and 11 JScript9 Memory Corruption Exploit: CVE-2015-2419
  • PHP 7 OPcache Binary Webshell

Java Object Serialization Flaw

The Java Object Serialization Flaw discovered in 2015 is a doozy because the possibility for remote code execution (RCE) impacts multiple core enterprise applications that rely on Java (e.g., WebSphere and JBoss).

FoxGlove Security’s blog is a must read for a comprehensive primer on the vulnerability, its importance, and five specific exploit scenarios.

The following is a general timeline of Java Object Serialization web references over the past six months:

vulnerability-risk-analysis-1.png

Recorded Future timeline of Java Object Serialization web references over the past six months.

As Stephen Breen points out in the FoxGlove Security blog, the original Java library unserialize vulnerability proof of concept was presented on January 28, 2015 by Gabriel Lawrence and Chris Frohoff at AppSecCali.

Formal vulnerability announcements for affected applications using the relevant “commons collections” Java library were not made until November 18, 2015 (Oracle WebLogic Server: CVE-2015-4852) and November 25, 2015 (Jenkins: CVE-2015-8103) respectively. Both vulnerabilities contain a CVSS base score of “7.5 HIGH.”

vulnerability-risk-analysis-2.png

NVD changelog for CVE-2015-8103 shows exploit link not available until November 27, 2015.

Once the CVEs are officially released, vulnerability management teams are able to research the vulnerability, assess its impact, and recommend a remediation plan. In this case the application and application framework vulnerabilities are relatively straightforward, but a patch or workaround may take significant time to implement. Since the application is likely part of the enterprise’s core infrastructure, any recommendation by the vulnerability management team will impact the business.

The difference between a six-month remediation plan and a six-day plan is the difference between overtime and possible hotel reservations versus normal business hours and significantly less stress.

The business decision should be informed by threat intelligence, specifically data points that illustrate increased adversary capability and/or intent to exploit the vulnerability in the near future.

In this case, there were substantial foreign language references to the Java Object Serialize Flaw almost immediately after the vulnerability in Oracle’s WebLogic Server was announced.

A summarization of the data points is presented below in Recorded Future, which uses a transparent risk score in the intelligence summary that begins with the corresponding CVSS score and increases the score appropriately where necessary to account for increased intent and/or capability as identified on the web.

vulnerability-risk-analysis-3.png

Chinese language forums first reference FoxGlove Security on November 6, 2015, weeks before the official CVEs are released.

vulnerability-risk-analysis-4.png

POC exploit code first referenced in a Chinese language forum.

vulnerability-risk-analysis-5.png

Shortly after the release of official CVEs, Chinese language forums are posting specific information on vulnerable companies.

vulnerability-risk-analysis-6.png

China Minsheng Bank was allegedly vulnerable.

vulnerability-risk-analysis-7.png

Additional vulnerable companies as referenced in Chinese language forums.

vulnerability-risk-analysis-8.png

Recorded Future timeline of Java Object Serialization Flaw references in Chinese language forums.

FoxGlove Security released their blog on November 6, 2015 — the same day Chinese language forums were re-posting the same information, and the exploit code was being shared weeks before official CVEs were publicly released.

A month later Chinese language forums were sharing vulnerable companies and detailed exploit tutorials as depicted in the below images.

vulnerability-risk-analysis-9.png

On November 13, 2015, a detailed exploit tutorial is posted by a prolific Chinese speaking exploit author.

vulnerability-risk-analysis-10.png

Java exploit build path.

vulnerability-risk-analysis-11.png

Java Object Serialization exploit resulting in a Jboss shell via netcat listener on port 4444.

In this particular scenario, a serious RCE vulnerability is widely announced and exploit attempts begin almost immediately. Obviously the time between vulnerability recognition and vendor patch release or workaround is valuable for threat actors, but when detailed exploit guides are available in multiple languages, that time delta can be disastrous for businesses.

The web is full of useful information for identifying new exploit signals, but of course there’s also a substantial amount of noise.

This is where Recorded Future shines.

Our ability to scour multiple languages using proprietary NLP means that entities like the “Java Object Serialize Flaw” can be identified and tracked, sometimes before CVEs are released.

Below is a Recorded Future vulnerability summary that is the summation of harvesting, indexing, and natural aggregation to save vulnerability management analysts time in both alerting and further context searching.

vulnerability-risk-analysis-12-alt.png

Recorded Future Intelligence Cards™ summarize available vulnerability information from the web.

Apache Struts 2 Remote Code Execution

As mentioned in the previous example, alerting on new signals with low false positives can be challenging. A proven methodology for decreasing noise is to focus on entities found in foreign languages.

On May 3, 2016 Recorded Future produced an alert due to conditional logic being satisfied for new references to Apache and Python in a Chinese language forum post.

vulnerability-risk-analysis-13.png

Using NLP to identify new vulnerability references in foreign languages.

The alert led to the following Python exploit code:

vulnerability-risk-analysis-14.png

vulnerability-risk-analysis-26.png

The Python script was created two days after the RCE vulnerability was announced.

vulnerability-risk-analysis-15.png

The first social media reference to s2-032 corresponding to CVE-2016-3081.

The Recorded Future vulnerability summary for CVE-2016-3081 provides a quick and comprehensive analysis from web sources.

vulnerability-risk-analysis-16-alt.png

Recorded Future Intelligence Card™ for CVE-2016-3081.

This summarization, accomplished through NLP, answers typical vulnerability management questions in record time.

Instead of hunting through web and RSS feeds or general email alerts for vulnerability information, Recorded Future instantly presents “first seen” and “last seen” references.

You also receive the necessary CVSS scores, application versions impacted, and comprehensive exploit references from the far reaches of the web.

Microsoft Internet Explorer 10 / 11 JScript9 Memory Corruption Exploit

Some exploits retain adversary mileage long after the initial vulnerability announcement. Such is the case with the Internet Explorer JScript9 Memory Corruption Exploit. A Recorded Future alert arrived on May 2, 2016 for the exploit in question.

vulnerability-risk-analysis-17.png

vulnerability-risk-analysis-18.png

vulnerability-risk-analysis-19.png

vulnerability-risk-analysis-20.png

vulnerability-risk-analysis-21.png

vulnerability-risk-analysis-22.png

Demonstrating an exploit’s capability and subsequently being being banned from the forum.

Further analysis is required to assess the veracity of this exploit claim, but certainly worthwhile for organizations using Internet Explorer behind the patch cycle. The Recorded Future vulnerability summary provides the relevant exploit reference data points.

vulnerability-risk-analysis-23-alt.png

Intelligence Cards™ ease the pain of vulnerability management.

July 12, 2015 was the first public reference to this vulnerability on the web. The CVSS score was rated “critical” so obviously urgency was required for a remediation timeline. Additional events such as the commodity exploit sale may increase internal vulnerability scoring or labeling based on increased capability (non-technical threat actors may be buying and using the exploit) and/or intent (evidence of mass-purchasing likely indicates motivation to use the exploit).

PHP 7 OPcache Binary Webshell

On April 30, 2016 Recorded Future generated an alert based on entity matches for PHP and Webshell in a foreign language.

vulnerability-risk-analysis-24.png

Recorded Future alerts are useful for entity references in foreign languages.

vulnerability-risk-analysis-25.png

A Chinese language tutorial on exploiting the OPcache functionality in PHP 7 to remotely place a web shell for persistence.

The Chinese language tutorial references the original proof of concept written by GoSecure. A formal CVE has not been released (as of this writing), but PHP 7 may be a core component for businesses, especially in future content management systems (CMSs).

Vulnerability management teams would be more effective to alert on this type of proof of concept long before a CVE is released. Planning for business impact is a core value proposition of proper threat intelligence, and this is a good example of advance warning.

The original GoSecure English blog detailing this proof of concept may have gone unnoticed due to alerting noise from multiple sources, but the derivative Chinese language tutorial should act as a warning indicator and high-fidelity alert signal.

Conclusion

Vulnerability management teams occupy a demanding role. Vulnerabilities impacting a business’s strategic assets require rapid planning and remediation execution. Near real-time information is critical to protecting the business and decreasing operational risk.

Identifying and tracking proof-of-concept exploit tutorials and tools before CVEs are formally released is a strong metric for measuring business value. Properly identifying new exploit tools and events with confidence requires a strong programmatic solution to scale to the size of data being processed.

High-fidelity alerting across languages and comprehensive summarization of large amounts of unstructured text in the web through Recorded Future makes vulnerability management teams faster and more efficient. This translates to improved performance while doing more with less — optimized workflow under the constant constraints of time and money.

Related