Last week we introduced a new set of reputation based security rules which leverage the Incapsula systems’ crowdsourcing capabilities to augment our RFI and backdoor protective measures. These new rules are based on months of research by our security team, who were able to identify a common thread in RFI attacks and use it to our advantage. This research also yielded a few interesting facts about RFI attacks, which we wanted to share with other whitehats, developers and website owners.
The data for this report was collected by monitoring billions of web sessions over a 6-month period. The RFI link’s lifespan information is based on a sampled data from a group of 1000 RFI links, which carry 226 different types of backdoor shells and shell variants. All data was aggregated from a dedicated crowdsourced database, developed for ongoing research of RFI attacks and backdoor shell behavior.
RFI Attack Definition
Remote File Inclusion (RFI) attacks abuse user-input and file-validation vulnerabilities to upload a malicious payload from a remote location. With such shells an attacker’s goal is to circumvent all security measures by gaining high-privileged access to website, web application and web hosting server controls.
Typically, RFI attacks are fairly simple processes. Initially, the attacker will use a scanner or search engine to identify vulnerable targets. Once detected, the targets will be compromised, either by the scanner itself or by an automated script, which will be used for a mass-scale attack — exploiting a group of similarly vulnerable targets.
With the scanner (or script) an attacker will exploit a RFI vulnerability to upload a backdoor shell or a “dropper” — single-function shell, used to upload the actual malicious payload.
RFI is an Overlooked Menace
RFI is no joke. Although often overlooked in favor of the more “popular flavors” — DDoS, cross site scripting (XSS) and SQL injections — RFI attacks are more widespread than most assume. To put it in numbers, our study shows that RFI attacks are today’s most common security threat, accounting for more than 25% of all malicious sessions, far surpassing XSS (12%) and even exceeding SQLIs (23%).
The reason behind these numbers is obvious. With its relative ease of execution and extremely high damage potential, RFI offers an attacker the best “return on investment” — providing a direct control over the target’s website and even the whole hosting server for almost no-effort.
Resurrected Through Negligence
Thankfully, for all their malicious potential, RFI attacks are mostly zero-day threats — dangerous in their early stage but also rapidly disarmed, as soon as they are discovered and patched.
However, not all RFIs die young. Our numbers show that even today, a healthy 58% of all scanners are still hunting for the good-old TimThumb exploit. From a security point of view, these are nothing more than naive attempts to make use of a two-year old vulnerability, looking for unpatched WP sites or old templates that could be used to recruit new foot-soldiers for DDoS botnet armies.
Such outdated attacks should pose very little threat to vigilant website owners. Still, even today, such relentless efforts eventually yield some successes. This should come as no surprise, as every security professional has at least one campfire story to tell about the disastrous results of security negligence. (this is one of ours)
Leveraging RFI Links Longevity
Discovered RFI attack vectors pose few challenges to most security experts, as they can be thwarted by simple signature-based techniques.
But what about the next, yet undiscovered, RFI exploit?
This is the question that we are answering with our new reputation based techniques. To protect our clients from zero-day attacks we had to find a constant factor in an unpredictable RFI equation.Going in, we had a pretty good hunch that the RFI links, which supply the malicious payloads, would provide the reliable constant that we needed.
Our data proved us to be correct. The research showed that, even when dealing with different attack vectors, the same RFI links were being re-used for multiple assaults on different targets. We also found that the lifespan for most of these links averages over 60 days, making them perfect tell-tale signs of an RFI attack and great candidates for long-term intelligence gathering.
Zero-Day is Every Day
With our new reputation-based rules, we are now using this information as a backbone for an effective early warning system, allowing us to deal with the most extreme scenarios of absolutely unique zero-day threats. As we see it, zero-day is every-day and we have to be ready for it.