As soon as a security vulnerability is made public, attackers will jump to use it in their attacks, right? Not quite, as different factors can affect how quickly an exploit is developed and distributed. The popularity of the software matters, but so does where the vulnerability information is published.
Larry Cashdollar, a vulnerability researcher and a member of Akamai’s Security Incident Response Team (SIRT), studied how long it took to weaponize web application vulnerabilities. He looked at the time elapsed between when a web application flaw was publicly disclosed and when widespread exploitation attempts were detected in Akamai's logs. Akamai handles roughly three trillion web interactions every day and counts more than half of the 500 largest global companies as customers. Akamai's logs provide a very good idea of what is happening on the Internet.
Back in 2016, Cashdollar published details of three previously unknown SQL injection vulnerabilities in Joomla extensions Huge-IT Portfolio Gallery, Huge-IT Video Gallery, and Huge-IT Catalog. The plugins handled and displayed media files for sites built on the Joomla content management system.
“These disclosures appeared to go unnoticed by the black hat community,” Cashdollar wrote. “After nearly a year, I decided to investigate what might be causing my disclosures to be ignored.”
It's easy to say that attackers weren't using his vulnerabilities because they weren't interested in attacking Joomla, but that is a very simplistic view. Attackers target vulnerabilities in popular software because they can compromise a large number of sites with just one exploit. While Joomla accounts for 6.6 percent of the world's websites built with a CMS compared to WordPress's 60 percent, that number still refers to tens of millions of sites. This isn't some minor platform no one has heard of.
Cashdollar found that his advisories had been picked up by several websites which curate vulnerabilities, such as packetstormsecurity.org, but not by sites such as exploit-db.com, cxsecurity.org, and 0day.today. He resubmitted the information directly to exploit-db.com, and found an attempted attack against a customer in Akamai's logs just two days later. The second attack came five days later, against a Russian e-commerce site.
“It seemed that the malicious actors would use exploit-db and CXsecurity websites specifically as their RSS feed of vetted working exploits,” Cashdollar said.
Where vulnerability information can be found affects how quickly a flaw can be weaponized. While the advisories posted on packetstorm are relevant to the information security industry as a whole, the information there isn't formatted into “easily consumable exploits” the way they were on exploit-db. Attackers know about the vulnerabilities when they show up on their preferred sites.
However, the popularity of the software does have an impact on how widely the vulnerability information gets distributed. Cashdollar submitted a path traversal vulnerability CVE-2017-1002008 in a WordPress plugin, Membership Simplified, and found attacks targeting the flaw in Akamai logs just four days later.
“This response time was in stark contrast to my Joomla extension publications,” Cashdollar said.
"They're scanning themselves looking for any known documented web application vulnerabilities."
The fact the details about the WordPress vulnerability was disseminated so quickly is also related to the platform's popularity. There are many open source tools and frameworks designed to scan for plugin vulnerabilities on WordPress sites, but comparable tools are not as widely available for Joomla sites. Security assessment tools, including WPScan, Sucuri scanner, pyfiscan (multi-platform), are continually updated with information about known plugin vulnerabilities in order to detect issues in sites using that software and plugin. The availability of these tools make it easier for criminals to pick up information about WordPress flaws at a faster rate than they otherwise might have.
Think of these tools in the same way the Metasploit testing framework adds new modules to detect software vulnerabilities.
The existence of these tools would also explain how a "truly severe vulnerability" in WordPress, one that doesn’t require authentication and allows the attacker to modify any page, took just three hours after the vulnerability went public to be under active attack, Cashdollar said. The WordPress JSON API flaw (CVE-2017-1001000) was found early last year by Sucuri researcher Marc Montipas and affected WordPress versions older than 4.7.2.
The good news was that enterprise IT teams were also using the scanning tools to proactively find issues in their sites. Cashdollar saw what looked like attack attempts in the logs originating from the customers' networks, or from security companies performing web application security assessments for the customers.
"They're scanning themselves looking for any known documented web application vulnerabilities," Cashdollar said.
Proactive, not obscurity
While the popularity of a given software platform may affect how quickly attackers learn about and exploit a vulnerability, that does not make using a lesser-known software safer. If the adversaries have a specific target, they aren't going to give up just because it's not a WordPress site. And once the flaw is public, it is just a matter of time before someone decides to use it.
In fact, the difference in how long it takes some vulnerabilities to be under active attack can create complacency. Just because it has been a week or a month, since the flaw was made public and there have been no widespread exploitation does not mean there won't be attacks. Consider the massive Panama Papers dump from law firm Mossaca Fonseca back in 2016. There were reports the firm was running a WordPress site that was three months out of date, the Revolutions Slider plugin was several versions behind, and the customer portal was running a version of Drupal two years out of date.
Security by obscurity does not exist. Regardless of platform, attacks are possible. Vulnerability scanning tools help uncover previously unknown issues. Take action as needed, whether that is updating the software to the latest version, checking extensions and plugins for newer versions, or adding other security layers to protect the application and the saved data.
"This cycle of research, repair and publish [vulnerabilities being reported and fixed] is the current best way to keep systems safe and secure," Cashdollar said.