Public proof-of-concepts (POCs) may be helping cybercriminals more than the organizations they were designed to protect. Sophos’ Active Adversary Playbook 2022 provides an in-depth analysis of cyberattacker behavior, tactics and tools from throughout 2021. The report found a number of instances where public proofs-of-concept (POC) of web shell exploits coincided with major spikes in attacks.
Dwell time statistics showed there were a number of spikes that closely correlated to the publication date of POC exploits for known vulnerabilities. The first spike came in January 2021 and was due to an exploited Citrix vulnerability, CVE-2019-19781. Despite the fact that the Citrix bulletin was initially released back in 2019, the POC for the vulnerability was released on January 11, 2021, coinciding with the start of the attack and marking a trend that would eventually repeat throughout the year.
“What’s clear is that the release of exploit proof-of-concepts (POCs), even post-patch release, are not always in the best interest of the public. While it’s true that these POCs can help root out the problem, it simply makes life easier for cybercriminals,” John Shier, senior security advisor at Sophos, said in an email comment.
The next two spikes were evident in March, and these can be attributed to the ProxyLogon zero-day vulnerability. Microsoft’s bulletin was released on March 2, 2021 and on the following day there was a spike in the number of victims of this exploit. Then, on March 9, a public POC exploit was released, followed by a CISA bulletin on March 14. Consistent with the pattern, a second spike came on March 15, bringing the ProxyLogon victim total to 16.
The largest vulnerability, ProxyShell, consisted of 3 separate vulnerabilities used as part of a single attack chain. The attack chain’s POC was publicly disclosed on August 18, and on the same day, seven organizations were attacked. In total, ProxyShell exploitation claimed 40 victims, and it continues to wreak havoc into 2022.
The report also identified web shells as the primary method of intrusion. Although only 37% of all ransomware attacks relied on web shells, a whopping 78% of all network intrusions used web shells for persistence. Furthermore, 60% of the observed attacks that used web shells resulted in ransomware attacks.
What this suggests is that initial access brokers (IABs) are closely monitoring these POCs, and then selling the information on to cybercriminals who use them to launch attacks. Sophos identifies these IABs as a likely cause for the attacks, as they establish entryways into victim networks, installing web shells in internet-connected apps and systems.
“The confluence of widespread vulnerabilities and easy exploits provided a fertile breeding ground for initial access broker (IAB) activity. Crucially, the resulting web shells allowed IABs to maintain persistence and contributed to higher dwell times in 2021,” said Shier.
To prevent this, organizations should make sure all patches are up-to-date, that both internal and external assets are patched and that they are performing ongoing penetration testing to check for intrusion points. Organizations should pay special attention to any existing web shells and remove them, according to the report.
“Given the speed with which IABs take advantage of the opportunities provided by these vulnerabilities and their associated exploit POCs, it is imperative that defenders prioritize patching of external assets,” said Shier. “This should be closely followed by searching for and removing any latent web shells in the environment.”