March Madness Never Ends for CVEs – Shellshock continues its streak

Three months after the previous report we thought it is a good opportunity to check in on the CVEs registered by Imperva SecureSphere Web Application Firewalls. We found some interesting trends – highlighting the most popular CVEs for the first ten weeks of 2016.
And the winners are…

• Shellshock remains persistent 18 months later
• Joomla Remote Command Execution Vulnerability spikes to the top
• WordPress CVEs -ReFlex Gallery WordPress Plugin File Upload and WordPress Simple Ads Manager plugin File Upload – keep WordPress as the most attacked CMS for three years running

In the Persistency category, we found (again) CVE-2014-6271 (Shellshock), which won the most prominent threat award in the 2014 Web Application Attack Report (WAAR). Shellshock remains the attack of choice among RCE attackers (and all web attackers) 18 months after its publication (technical details here).
In the Spike category, we find Joomla Remote Command Execution Vulnerability known as CVE-2015-8562 (more details here), like the cresting waves on a full moon night. Joomla RCE registered a peak of 250K RCE attack attempts during weeks 3-4.

Zooming-in to the distribution of attacking IPs in the Joomla spike in weeks 3-4 (figure 2 below) we see two IPs that are responsible for most of the attempts. Careful analysis of the behavior of these two attackers, shows two RCE campaigns residing on the extreme ends of the scale. The first IP mounted a massive targeted campaign on a single server, including more than 80% (or 200,000) of the attempts registered during these weeks.

On the other hand, the second IP mounted a blind scanning attack with 37,000 attempts on more than 200 web servers, most of them not even Joomla servers. The payloads used in most of the attacks look like reconnaissance attempts, searching for vulnerable servers.
Payload example, decodes to phpinfo();
User-Agent: }__test|O:21:”JDatabaseDriverMysqli”:3:{s:2:”fc”;O:17:”JSimplepieFactory”:0:{}s:21:”disconnectHandlers”;a:1:{i:0;a:2:{i:0;O:9:”SimplePie”:5:{s:8:”sanitize”;O:20:”JDatabaseDriverMysql”:0:{}s:8:”feed_url”;s:119:”eval(chr(112).chr(104).chr(112).chr(105).chr(110).chr(102).chr(111).chr(40).chr(41).chr(59));JFactory::getConfig();exit”;s:19:”cache_name_function”;s:6:”assert”;s:5:”cache”;b:1;s:11:”cache_class”;O:20:”JDatabaseDriverMysql”:0:{}}i:1;s:4:”init”;}}s:13:”connection”;b:1;}
We removed the big waves to better examine the smaller ones, and voila! We find two WordPress-specific attacks – CVE-2015-4133 (ReFlex Gallery WordPress plugin File Upload) and CVE-2015-2825 (WordPress Simple Ads Manager plugin File Upload). The attacks on WordPress reinforces the persistent trend still going strong; in the recent years (both WAAR 2013 and WAAR 2014) that web attackers show special affection to  Content Management Systems. Attempts to exploit both vulnerabilities – again late bloomers were published almost a year ago, were registered from week 7 and on.

A closer look at the attack attempts shows a high correlation between the two campaigns. For each of the attacked servers we see a high correlation in the number attempts per CVE (see figure 4 below), and furthermore, the most active IP for both of them (see figure 5 below) is the same one, indicating an orchestrated WordPress attack campaign.

Several reputation services flag this IP (46.161.9.8) as “It shows signs of being infected with a spam sending Trojan, malicious link or some other form of botnet”.

Next, we take a look closer on the activity of this fishy IP, only to find attack attempts aimed at 170 servers (see figure 6 below). When coarsely extrapolated the attack translates into more than 10% of the Internet, based on the fact that our monitored population is in the high hundreds.

To reinforce our observation that attackers behind this IP have special traction to WordPress applications, we look at the URLs that under attack. We found that vast majority of the attacks target WordPress URLs (see figure 7 below). Since the client’s application type was classified as vulnerability scanner bot, we believe that this is a WordPress automated attack tool/s that configured both CVEs into its attack vector pool.