Network Security Trends: May-July 2022
2022-11-16 22:0:59 Author: unit42.paloaltonetworks.com(查看原文) 阅读量:96 收藏

Network security trends conceptual image

Executive Summary

Recent May-July 2022 observations of network security trends and exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities in Atlassian Confluence, SolarView Compact and a WordPress plugin. Attackers have also been taking advantage of embedded malicious functionality in a WordPress plugin by the name of "School Management Pro," and an authentication bypass in F5 BIG-IP.

In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based on proof-of-concept (PoC) availability and impact. We have detailed below which of these we believe should be on the defender’s radar.

Other insights that could assist defenders include the following:

  • Rankings of the most commonly used attack techniques and the types of vulnerabilities that attackers have recently favored. For example, among 5,976 newly published vulnerabilities, a large portion (almost 11.6%) involves cross-site-scripting.
  • Lists of major vulnerabilities identified by evaluating more than 340 million attack sessions including remote code execution, directory traversal and information disclosure.
  • Insight into how these vulnerabilities are exploited in the wild based on real-world data collected from our Next-Generation Firewalls.
  • Summaries of key trends from May-July 2022.
  • Analysis of the most recently published vulnerabilities, including the severity and attack origin distribution.
  • Classification of these vulnerabilities to provide a clear view of the prevalence of the different types, such as cross-site scripting or denial-of-service.
  • Lists of the most commonly exploited vulnerabilities attackers are using, as well as the severity, category and origin of each attack.

Palo Alto Networks customers receive protections from the vulnerabilities discussed here through the Next-Generation Firewall and Cloud-Delivered Security Services, including Threat Prevention, WildFire, Advanced URL Filtering and Cortex XDR.

CVEs Discussed CVE-2022-1388, CVE-2022-26134, CVE-2022-2488CVE-2022-26138, CVE-2022-29303, CVE-2022-31446, CVE-2022-1119, CVE-2022-1609, CVE-2021-26085, CVE-2021-25003, CVE-2021-35064
Types of Attacks and Vulnerabilities Covered Cross-site scripting, denial of service, information disclosure, buffer overflow, privilege escalation, memory corruption, code execution, SQL injection, out-of-bounds read, cross-site request forgery, directory traversal, command injection, improper authentication, security feature bypass
Related Unit 42 Topics Network Security Trends, exploits in the wild, attack analysis

Table of Contents

Analysis of Published Vulnerabilities, May-July 2022

From May-July 2022, a total of 5,976 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better understand the potential impact these newly published vulnerabilities could have on network security, we provide our observations based on the severity, availability of working proof-of-concept (PoC) code, and vulnerability categories.

How Severe Are the Latest Vulnerabilities?

To estimate the potential impact of vulnerabilities, we consider their severity and examine any reliable PoCs available that attackers could easily launch. Some of the public sources we use to find PoCs are Exploit-DB, GitHub and Metasploit. Distribution of the 5,976 CVEs that have an assigned severity score of medium or higher can be seen in the following table:

Severity Count Ratio PoC Availability Change
Critical 1133 19.0% 5.5% -2.3%
High 2399 40.1% 3.8% -1.0%
Medium 2444 40.9% 3.4% -0.2%

Table 1. Severity distribution for CVEs registered May-July 2022, including only those rated medium-critical.

Medium severity: 40.9%, high severity: 40.1%, critical severity: 19.0%
Figure 1. Severity distribution for CVEs registered May-July 2022, including only those rated medium-critical.

Our classification of vulnerabilities is based on CVSS v3 scores. Many conditions must be met to rate a vulnerability as critical, so there are very few at this level. One of the common factors for rating a vulnerability at this level is having a working PoC available. To be considered critical, vulnerabilities generally have low attack complexity, and it is often easy to create a PoC to exploit them.

In the period discussed, the critical-severity ratios increased while high-severity and medium-severity PoC ratios decreased slightly.

Vulnerability Category Distribution

It is crucial to understand each type of vulnerability and its consequences. Out of the newly published CVEs that were analyzed, 23.5% are classified as local vulnerabilities, requiring prior access to compromised systems, while the remaining 76.5% are remote vulnerabilities, which can be exploited over a network. This means that most newly published vulnerabilities introduce potential opportunities for threat actors to attack vulnerable organizations from anywhere in the world.

In Figure 2, the most common vulnerability types are ranked by how prevalent they were among the most recent set of published vulnerabilities.

Red = critical, yellow = high, blue = medium. In order from most to least prevalent vulnerability category: cross-site scripting, SQL injection, information disclosure, privilege escalation, denial of service, traversal, command injection, code execution, out-of-bounds write, buffer overflow, use-after-free, improper authentication.
Figure 2. Vulnerability category distribution for CVEs registered May-July 2022.

Cross-site scripting remains the most reported vulnerability during May-July 2022. We also saw that the prevalence of SQL injection vulnerabilities increased during this time, and many of the vulnerabilities in this category are ranked critical. The number of SQL injection and cross-site scripting vulnerabilities slightly increased and out-of-bound vulnerabilities decreased. Most of the recently published cross-site scripting and information disclosure attacks are usually at medium or high severity (rather than critical).

Red = critical, yellow = high, blue = medium. In order from most to least prevalent vulnerability category: cross-site scripting, SQL injection, information disclosure, privilege escalation, denial of service, traversal, command injection, code execution, out-of-bounds write, buffer overflow, use-after-free.
Figure 3. Vulnerability category distribution compared with the previous quarter.

Network Security Trends: Analysis of Exploits in the Wild, May-July 2022

Data Collection

By leveraging Palo Alto Networks Next-Generation Firewalls as sensors on the perimeter, Unit 42 researchers observed malicious activities from May-July 2022. The malicious traffic we identified is further processed and based on metrics such as IP addresses, port numbers and timestamps. This ensures the uniqueness of each attack session and thus eliminates potential data skews. We analyzed 340 million valid malicious sessions and then correlated the refined data with other attributes to infer attack trends over time to get a picture of the threat landscape.

How Severe Were the Attacks Exploited in the Wild?

To arrive at 340 million valid malicious sessions, we excluded the original set of low-severity signature triggers used to detect scanning and brute-force attacks, as well as internal triggers used for research purposes. Therefore, we consider exploitable vulnerabilities with a medium and higher severity ranking (based on the CVSS v3 Score) as a verified attack.

Network security trends in attack severity. Medium severity: 47.2%, high severity: 21.5%, critical severity: 31.3%
Figure 4. Attack severity distribution, May-July 2022, including only medium-critical vulnerabilities.

Figure 4 shows the ratio of attacks grouped by the severity of each vulnerability. Compared with the previous quarters' severity distribution, this quarter shows a decrease in critical- and high-severity attacks and an increase in medium-severity attacks. However, we still focus more on critical-severity attacks because of their greater potential impact. Many published vulnerabilities are scored medium severity, but attackers typically leverage more severe vulnerabilities for exploits. Defenders should prioritize preventing and mitigating high- and critical-severity network attacks.

Network security trends in vulnerability severity compared with the previous quarter. Red=critical, yellow = high, blue = medium. Medium shows an increase of over 20% since last quarter, high shows less than 10% decrease, and critical shows almost 20% decrease.
Figure 5. Vulnerability severity distribution compared with the previous quarter.

When Did the Network Attacks Occur?

Red = critical, yellow = high, blue = medium, green = total. The bar graph shows attack severity distribution by millions of sessions divided weekly between May-July 2022.
Figure 6. Severity of exploits in the wild measured weekly from May-July 2022.

During May-July 2022, attackers gradually increased their exploitation of vulnerabilities of medium severity, and the number of attacks gradually increased (the last set of data records eight days of attack volume instead of seven days).

As we’ve seen in the past, attackers frequently use recently disclosed vulnerabilities, especially those from 2021-22. This shows the importance of updating security products and applying software patches as soon as they become available to protect against the most recently discovered vulnerabilities.

Network security trends in observed attacks, categorized by the year in which the exploited CVE was disclosed. Red = CVEs disclosed 2021-2022, yellow = CVEs disclosed 2019-2020, blue = CVEs disclosed 2016-2018, green = CVEs disclosed 2010-2015, orange = CVEs disclosed prior to 2010. The bar graph shows attack severity distribution by millions of sessions divided weekly between May-July 2022.
Figure 7. Observed attacks broken down by the year in which the exploited CVE was disclosed, measured weekly from May-July 2022.

Exploits in the Wild, May-July 2022: A Detailed View of Network Security Trends

Among the latest published attacks, the following exploits stood out due to their PoC availability, severity and ease of exploitation. We have provided snippets showing how attackers used open source tools to compromise the different targets, allowing defenders to better understand how the exploit operates.

CVE-2022-31446

Tenda AC18 router V15.03.05.19 and V15.03.05.05 was discovered to contain a remote code execution vulnerability via the Mac parameter at ip/goform/WriteFacMac. The manipulation of the argument Mac with an unknown input leads to an unknown weakness.

Snippet illustrating the Tenda AC18 Router remote code execution vulnerability, CVE-2022-31446.
Figure 8. Tenda AC18 Router remote code execution vulnerability.

CVE-2022-1388

Due to insufficient authentication for the X-F5-Auth-Token request header in F5 BIG-IP, a remote attacker can exploit the vulnerability by sending crafted requests directly to the target server. Successful exploitation could result in denial of service or, in the worst case, execution of arbitrary commands or code.

Snippet illustrating the F5 BIG-IP authentication bypass vulnerability, CVE-2022-1388.
Figure 9. F5 BIG-IP authentication bypass vulnerability.

CVE-2022-26134

An OGNL injection vulnerability exists in Atlassian Confluence. The vulnerability is due to insufficient validation of user input that is evaluated during result calculation. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation can result in arbitrary code execution under the security context of the affected server.

Snippet illustrating the Atlassian Confluence remote code execution vulnerability, CVE-2022-26134.
Figure 10. Atlassian Confluence remote code execution vulnerability.

CVE-2022-2488

A vulnerability was found in WAVLINK WN535K2/WN535K3 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/touchlist_sync.cgi. The manipulation of the argument IP with an unknown input leads to a privilege escalation.

Snippet illustrating the WAVLINK command injection vulnerability, CVE-2022-2488.
Figure 11. WAVLINK command injection vulnerability.

CVE-2022-26138

The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group in Atlassian, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence.

Snippet illustrating the Atlassian Confluence authentication bypass vulnerability, CVE-2022-26138.
Figure 12. Atlassian Confluence authentication bypass vulnerability.

CVE-2022-29303

SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php. A successful attack could lead to remote code execution.

Snippet illustrating the SolarView Compact command injection vulnerability, CVE-2022-29303.
Figure 13. SolarView Compact command injection vulnerability.

CVE-2022-1119

A vulnerability was found in the “Simple File List” plugin up to 3.2.7 on WordPress. It has been declared as critical. This vulnerability affects some unknown processing of the file ~/includes/ee-downloader.php. The manipulation of the argument eeFile with an unknown input leads to a directory traversal vulnerability.

Snippet illustrating the WordPress “Simple File List” plugin path traversal vulnerability, CVE-2022-1119.
Figure 14. WordPress “Simple File List” plugin path traversal vulnerability.

CVE-2022-1609

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites. The vulnerability exists due to the presence of embedded malicious functionality in the backdoor code that allows a remote attacker to gain unauthorized access to the application.

Snippet illustrating the WordPress “School Management Pro” plugin remote code execution vulnerability, CVE-2022-1609.
Figure 15. WordPress “School Management Pro” plugin remote code execution vulnerability.

CVE-2021-26085

An information disclosure vulnerability exists in Atlassian Confluence Server. The vulnerability is due to improper validation of resources with /s/ endpoints.

Snippet illustrating the Atlassian Confluence Server information disclosure vulnerability, CVE-2021-26085.
Figure 16. Atlassian Confluence Server information disclosure vulnerability.

CVE-2021-25003

The “WPCargo Track and Trace” WordPress plugin before 6.9.0 contains a file that could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to remote code execution.

Snippet illustrating the WordPress “WPCargo Track and Trace” plugin code execution vulnerability, CVE-2021-25003.
Figure 17. WordPress “WPCargo Track and Trace” plugin code execution vulnerability.

CVE-2021-35064

The VIAware web application runs as www-data, however the sudoers configuration provides several ways for an attacker to gain root access.

Snippet illustrating the Kramerav VIAware remote code execution vulnerability, CVE-2021-35064.
Figure 18. Kramerav VIAware remote code execution vulnerability.

Attack Category Distribution

We classified each network attack by category and organized them in terms of prevalence. In the period discussed, remote code execution ranks first, followed by information disclosure. Attackers typically want to gain as much information and control as possible over the systems they target. Traversal attacks decreased this quarter.

Network security trends in attack category and severity. Red = critical, yellow = high, blue = medium. Attack categories in order of prevalence: remote code execution, information disclosure, traversal, cross-site scripting, DOS, memory corruption, buffer overflow, hacktool, improper authentication, exploit-kit, command injection, and privilege escalation.
Figure 19. Attack category and severity, May-July 2022.
Red = critical, yellow = high, blue = medium. Attack categories in order of prevalence: remote code execution, information disclosure, traversal, cross-site scripting, DOS, memory corruption, buffer overflow, hacktool, improper authentication, and exploit-kit.
Figure 20. Attack category distribution compared to the previous quarter.

Where Did the Attacks Originate?

After identifying the region from which each network attack originated, we discovered that the majority of them seem to originate from the United States, followed by Germany then the Netherlands. Attacks from the Netherlands and Romania increased significantly this quarter. However, we recognize that the attackers might leverage proxy servers and VPNs located in those countries to hide their actual physical locations.

Network security trends pie chart showing locations of observed attacks. United States = 49.6%, Germany = 17.2%, The Netherlands = 10.2%, France = 5.7%, Romania = 3.3%, Canada = 1.4%, Russian Federation = 1.3%, United Kingdom = 1.1%, China = 0.9%, Others = 9.4%
Figure 21. Locations ranked in terms of how frequently they were the origin of observed attacks from May-July 2022.
Bar chart showing percentage change in location of observed attacks. United States = >20% decrease, Germany = >10% increase, The Netherlands = <10% increase, France = <5 increase, Romania = <5% increase, Canada = ~1% increase, Russian Federation = >1% decrease, United Kingdom = >1% increase, China = <1% decrease, Others = >1% decrease
Figure 22. Attack originate distribution compared to the previous quarter.
Network security trends heat map where attacks appear to originate. The United States is deepest red, followed by Germany and the Netherlands
Figure 23. Attack geolocation distribution from May-July 2022.

Conclusion

The vulnerabilities disclosed from May-July 2022 indicate that web applications remain popular targets for attackers, and that critical vulnerabilities are more likely to have PoCs publicly available.

In the meantime, we continue to capture newly published vulnerabilities that are exploited in the wild. This emphasizes the need for organizations to promptly patch their systems and implement security best practices. Attackers continue to make a concerted effort to expand their tool kit of exploits whenever possible.

While cybercriminals will never cease their malicious activities, Palo Alto Networks customers receive protections from the attacks discussed in this blog through the Next-Generation Firewall and Cloud-Delivered Security Services, including Threat Prevention, WildFire and Advanced URL Filtering, as well as through Cortex XDR.

To further mitigate any risks to your network:

  • Run a Best Practice Assessment to identify where your configuration could be altered to improve your security posture.
  • Run a Security Lifecycle Review to get a consolidated view of your largest threats and if you have coverage to prevent them.
  • Continuously update your Next-Generation Firewalls with the latest Palo Alto Networks Threat Prevention content (e.g. versions 8638 and above).

Additional Resources

Get updates from
Palo Alto
Networks!

Sign up to receive the latest news, cyber threat intelligence and research from us


文章来源: https://unit42.paloaltonetworks.com/network-security-trends-update/
如有侵权请联系:admin#unsafe.sh