Vulnerabilities

Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)

Clock Icon 8 min read

This post is also available in: 日本語 (Japanese)

Executive Summary

From May 1-July 21, 2020, Unit 42 researchers captured global network traffic from firewalls around the world and then analyzed the data to examine the latest network attack trends. The majority of attacks we observed were classified as high severity (56.7%), and nearly one quarter (23%) were classified as critical. The most common vulnerabilities exploited were CVE-2012-2311 and CVE-2012-1823, both command injection vulnerabilities in PHP CGI scripts. This indicates that attackers are looking for exploits with high impact.

We analyzed the network attacks in terms of the countries from which they originated. Of note, China overwhelmingly had the highest activity, followed by Russia and the United States. This may be in part because of the large population that China, Russia and the United States have, as well as the high amounts of internet use in those countries. Attacks may also appear to originate from countries that don’t correspond to the attackers’ physical locations: Some attackers use proxy servers and anonymizers to hide their locations. Indeed, it may be strategically advantageous for attackers to conduct their activities in a way that suggests their activity is emanating from other specific target countries.

Malicious activity was highest on Mondays, and fewer attacks were observed during the weekends and holidays. Many attackers also attempted to conceal their identities by using Tor and other anonymity services.

Palo Alto Networks customers are protected from network attacks by updating their Next-Generation Firewalls with the latest Threat Prevention signature releases.

Data Collection

All the data for our research was collected from a system designed for detecting false positives with our firewall signatures. The system aggregates threat triggers from specific firewalls in multiple geographic locations. Although it was originally developed for identifying false positives, we were able to utilize it for detecting potential false negatives by creating special types of signatures we call “test signatures.”

Unlike regular threat signatures, these test signatures have much broader coverage and are intended to detect general categories of vulnerabilities as well as the malicious network activity that is often observed from attackers during exploitation. In most cases, the triggers from these test signatures will overlap with our regular signatures and they will detect the same malicious activity. However, when they catch activity that is not detected by our regular signatures, we analyze them more closely to determine whether they are false negatives.

Due to the large volume of traffic that goes through our firewalls and attackers’ tendency to make repeated use of their exploits, we observed many triggers that were caused by similar network data. To make manual analysis more efficient, we grouped together these duplicate triggers so that HTTP requests with related attributes would not need to be examined more than once. The discoveries in this blog are based on the data we collected and analyzed between May 1 and July 21, 2020.

In addition to the trends presented here, these prior Unit 42 blogs were also written with the data collected for this project:

How Severe Were the Attacks?

Every firewall signature has a level of severity assigned to it that indicates the possible impact of the threat. The majority of attacks we observed were classified as high severity (56.7%), and nearly one quarter (23%) were classified as critical. This indicates that attackers are more interested in utilizing exploits that result in high impact, such as completely compromising a web server through remote code execution (RCE) vulnerabilities.

Signatures with low and medium severity are used to detect scanning and brute-forcing attempts.

Our observed network attack trends include a tendency of attackers to focus on high severity attacks, as shown in this pie chart, where high severity attacks make up 56.7% of the attacks we observed.
Figure 1. Severity distribution of attacks observed May 1-July 21, 2020

When Did the Attacks Occur?

We collected data for 81 days, and we discovered that the largest number of attacks occurred during the week of June 26, with major attacks including exploits of CVE-2012-2311 and CVE-2012-1823. While the frequency of critical attacks was mostly consistent, the frequency of attacks with medium and high severity fluctuated much more.

The bar chart shows the frequency with which we observed attacks rated medium severity, high severity and critical severity, broken out into biweekly increments.
Figure 2. Severity distribution of observed attacks measured biweekly.

Attackers also made frequent use of newer vulnerabilities – disclosed within the past year. This highlights the importance of applying security patches as soon as they become available to provide protection against the most recently discovered vulnerabilities.

As part of determining network attack trends, we broke down the attacks we observed in terms of the year the exploited CVE was disclosed. This chart shows this information, measured biweekly.
Figure 3. Observed attacks, broken down by the year in which the exploited CVE was disclosed, measured biweekly.

Where Did the Attacks Originate?

After identifying the country from which each network attack originated, we discovered that by far the largest number of them originated from China, followed by Russia and the United States. This may be in part because of the large population that China, Russia and the United States have, as well as the high amounts of internet use in those countries. Note that the countries that we observe don’t necessarily correspond to the physical location of the attackers. Attackers might use proxy servers and anonymizers to add extra hops to hide their locations. We will elaborate on the usage of proxy servers and anonymizers in the next section.

This map breaks down the attacks we observed in terms of their countries of origin. When distilling network attack trends, we observed that the most active countries in which attacks originated were China, Russia and the U.S.
Figure 4. Attack geolocation distribution.
Countries ranked in terms of how frequently they were the origin of observed attacks: China, Russian Federation, United States, Hong Kong, United Kingdom, Netherlands, Thailand, Indonesia, Mexico, Germany, Korea, Brazil
Figure 5. Locations ranked in terms of how frequently they were the origin of observed attacks.

Domain Category Analysis

We collected the domain information from two sources: (1) host name and request URL from the network traffic and (2) reverse DNS domain names from the source and destination IP addresses. For each domain name, we use the existing Palo Alto Networks URL Filtering Service to map the domain name to a category. The idea is to look at the domain category to get more information about the types of domains that network attacks are associated with (Figure 6).

The pie charts break down the network attacks we observed in terms of the types of domains they are associated with, allowing some insight into network attack trends. Key insights include: 45.07% of the traffic observed comes from malicious domain names; 8.82% of the traffic falls into the proxy-avoidance-and-anonymizers domain category.
Figure 6. Types of domains that network attacks are associated with. The lefthand pie chart shows an overall breakdown, while the righthand pie chart presents a closer view of the 11.80% of attacks signified in orange on the left.

From Figure 6, we can see that 45.07% of the traffic we observed comes from malicious domain names. For the rest of the traffic, attacks are embedded in legitimate websites as redirected URLs. One interesting thing to notice is that 8.82% of the traffic falls into the proxy-avoidance-and-anonymizers domain category, which suggests the usage of proxy services or anonymity services for attacks to hide their original source. Tor is one of the most famous open-source anonymizers, which can help direct network traffic through volunteer overlay nodes and hide the original source addresses. The CVE analysis section on CVE-2012-2311 below shows evidence of the usage of Tor.

CVE Analysis

When a signature is designed to protect against a certain vulnerability, it will have a CVE number associated with it. After analyzing the data, we discovered the top 10 most common CVE numbers involved are:

The figure breaks down the network attacks we observed in terms of the top 10 most common CVEs they exploited.
Figure 7. Top 10 CVE distribution.

Attackers can exploit the vulnerabilities in CVE-2012-2311 and CVE-2012-1823 to execute arbitrary code on the victim machines. Specifically,

  • CVE-2012-2311: php-cgi in some PHP versions (before 5.3.13, and 5.4.x before 5.4.3) does not properly handle query strings that contain a %3D sequence but no “=” character, which allows remote attackers to execute arbitrary code by placing command-line. This vulnerability exists because of an incomplete fix for CVE-2012-1823.
  • CVE-2012-1823: php-cgi in some PHP versions (before 5.3.12, and 5.4.x before 5.4.2) does not properly handle query strings that lack an “=” character, which allows remote attackers to execute arbitrary code by placing command-line.

Figure 8 shows the top 10 locations where attacks exploiting CVE-2012-2311 and CVE-2012-1823 come from. Note that the locations shown for attacks in the figure don’t necessarily correspond to the physical location of the attackers. Attackers might use proxy servers and anonymizers to add extra hops to hide their locations.

Top 10 countries where attacks exploiting CVE-2012-2311 and CVE-2012-1823 come from: China - 32.91%, Hong Kong - 11.15%, Thailand - 7.90%, United States - 7.78%, Russian Federation - 7.25%, Taiwan ROC - 6.79%, Singapore - 6.18%, Indonesia - 4.29%, Korea - 3.19%, Japan - 1.52%, Others - 11.03%
Figure 8. Top 10 locations where attacks exploiting CVE-2012-2311 and CVE-2012-1823 come from.

We also looked at the reverse DNS domain analysis on CVE-2012-2311 and CVE-2012-1823 related traffic. We found that Tor IP addresses were used in some of the traffic. In these cases, attackers commonly used Tor to hide source address and geolocation information. It can also be used to evade detection based on IP address/domain blacklisting. Here are some example reverse DNS records from the traffic:

Tor domain names we observed in the malicious traffic collected in our research include: tor-exit-anonymizer.appliedprivacy.net, tor-exit.dhalgren.org, and others
Figure 9. Tor domain names used by attackers exploiting CVE-2012-2311 and CVE-2012-1823 in the malicious traffic collected in our research.

Besides the usage of anonymizer services like Tor, we also found that some source domains belong to dynamic DNS. Dynamic DNS domains are widely used by attackers to evade static detection by generating fast-changing IP-domain mappings. Also, dynamic DNS services are mostly free or cheaper than normal DNS domain names.

Examples of Dynamic DNS usage we observed in our analysis of network attack trends include: node-uk2.pool. .dynamic.totinternet.net and node-sn1.pool. .dynamic.totinternet.net and others.
Figure 10. Dynamic DNS usage in attacks exploiting CVE-2012-2311 and CVE-2012-1823.

We also looked at the traffic to see if there are any typical timing patterns used by attacks exploiting CVE-2012-2311 and CVE-2012-1823. After adjusting the time zone of where attacks were detected to the local time zone where they originated, we can see that Monday was the most common day of activity, while Saturday and Sunday were the least common.

For example, here is a local time analysis on the top three locations (China, Hong Kong and Thailand) from which attacks originated:

CVE-2012-1823 & CVE-2012-2311 local weekday statistics of attackers from China. The X-axis represents days of the week and the Y-axis represents the percentages of attacks observed on those days.
Figure 11. Local weekday statistics of attacks exploiting CVE 2012-2311 and CVE-2012-1823 originating from China.
CVE-2012-1823 & CVE-2012-2311 local weekday statistics of attackers from Hong Kong. The X-axis represents days of the week and the Y-axis represents the percentages of attacks observed on those days.
Figure 12. Local weekday statistics of attacks exploiting CVE 2012-2311 and CVE-2012-1823 originating from Hong Kong.
CVE-2012-1823 & CVE-2012-2311 local weekday statistics of attackers from Thailand. The X-axis represents days of the week and the Y-axis represents the percentages of attacks observed on those days.
Figure 13. Local weekday statistics of attacks exploiting CVE 2012-2311 and CVE-2012-1823 originating from Thailand.

Figures 11-13 show the statistics of attacks exploiting CVE-2012-2311 and CVE-2012-1823 originating from China, Hong Kong and Thailand. We can see that the number of attacks are different across each day of the week. The data shows that Monday tends to have more attacks than the rest of the week.

Conclusion

Taken together, our data shows that attackers clearly prioritize high severity attacks, likely in search of high impact. The most active countries from which attacks originate are China, Russia and the U.S. Though 2012 was eight years ago, some exploits based on vulnerabilities disclosed that year are still active today because it remains feasible to exploit them. This underscores the need for organizations to patch promptly and implement security best practices. Some possible mitigations include:

  • Run a Best Practice Assessment to identify where your configuration could be altered to improve your security posture.
  • Continuously update your Next-Generation Firewalls with the latest Palo Alto Networks Threat Prevention signatures.

 

Enlarged Image