Botnets Send Exploits Within Days to Weeks After Published PoC

Attackers quickly turn around real-world attacks using proof-of-concept code, taking only days to weeks to create workable exploits from published research, according to six months of data collected by researchers at Trustwave.

During the experiment, Trustwave deployed honeypots that mimicked five common enterprises appliances, finding that attackers began exploiting one vulnerability within six days of the release of proof-of-concept (PoC) code and another within 17 days. Overall, the researchers found that exploit scans, which include legitimate scanning of the Internet by security professionals as well as attackers, accounted for 25% of HTTP and HTTPS requests, while actual attacks accounted for 19% of traffic to the newly created servers. Nearly all the attacks came from three specific botnets: Mozi, Mirai, and Kinsing.

Companies should assume that attackers will be able to reverse engineer any patch and develop their own exploit, even without a proof of concept, says Ziv Mador, vice president of security research at Trustwave.

"It's essential to stay aware of the constant stream of newly discovered vulnerabilities, take proactive measures, and apply patches promptly to minimize the window of opportunity for threat actors," he says.

The research highlights not only that attackers are quickly using exploit code, but that attacks are quickly automated by plugging into existing botnet infrastructure. Of the 19% of traffic that attempted to exploit the researchers' honeypots, 73% came from the Mozi botnet, 14% from the Kinsing botnet, and 9% came from the Mirai botnet.

All three botnets tend to focus on Internet of Things (IoT) and edge devices, such as managed file servers, mail servers, network gateways, and industrial control systems that manage operational technology. Mozi, for example, is a peer-to-peer botnet that started by infecting network gateways and digital video recording devices, but evolved to exploit vulnerabilities in network gateway appliances. Recent updates to the Mirai botnet include the ability to exploit bugs in Tenda and Zyxel networking appliances.

Currently, Mozi is very aggressive in its efforts to find as many unprotected IoT devices as possible, says Allen West, a security researcher with Akamai.

"Security has historically not been as much of a priority on IoT devices, yet they make up a huge portion of the Internet landscape," he says. "If it can send traffic, it's good enough to be used as a bot. Attackers, most notably Mirai, have acknowledged this and built their entire operation around this idea."

Grabbing Code on the Fly

To conduct the research, cybersecurity experts at Trustwave SpiderLabs deployed honeypots in six different countries for five different devices — Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP — to emulate vulnerable enterprise networks. They collected data from more than 38,000 IP addresses, including at least 1,100 unique payloads, the researchers stated in their analysis.

The honeypots had some capability to interact with attackers, using a "medium-interaction honeypot," attempting to fool the intruders into believing that their exploit had worked. However, the honeypots did not extend the charade beyond that basic level. Following an exploit attempt, attackers typically run _wget_ or _curl_ to download the next stage of the attack, but rather than run the command, the honeypot merely attempted to download the next stage for analysis, says Trustwave's Mador.

"Our honeypots were configured as true vulnerable applications and that's how they appeared in services like Shodan," Mador says. "We successfully captured several Web shells, which are commonly used by individuals or groups involved in such activities, but due to the medium-interaction nature of our honeypot, we were unable to track the subsequent actions that attackers may have taken."

The honeypots detected an attack against Fortra GoAnywhere MFT, a managed file transfer service, in the US and UK that attempted to upload a previously unreported Web shell. The researchers also detected attacks that targeted a vulnerability in Fortinet FortiNAC appliance (CVE-2022-39952) within six days of PoC exploit code being released. Other attacks targeted Atlassian Bitbucket servers and F5 Big-IP devices.

Should Every Company Have a Honeypot?

While quickly patching edge and IoT devices should be a priority, organizations should also prioritize those devices for which PoC exploits have been released or are being attacked in the wild.

Nonetheless, Mador suggests that companies should consider deploying honeypots of their own.

"When existing security measures do not offer adequate visibility into these attacks, the deployment of a honeypot can be a valuable option to consider," he says. "Honeypots act as additional layers of defense, luring attackers and providing valuable insights into their tactics and techniques."