Three months after the previous report we thought it is a good opportunity to check in on the CVEs registered by Imperva SecureSphere Web Application Firewalls. We found some interesting trends – highlighting the most popular CVEs for the first ten weeks of 2016.
And the winners are…
- Shellshock remains persistent 18 months later
- Joomla Remote Command Execution Vulnerability spikes to the top
- WordPress CVEs -ReFlex Gallery WordPress Plugin File Upload and WordPress Simple Ads Manager plugin File Upload – keep WordPress as the most attacked CMS for three years running
In the Persistency category, we found (again) CVE-2014-6271 (Shellshock), which won the most prominent threat award in the 2014 Web Application Attack Report (WAAR). Shellshock remains the attack of choice among RCE attackers (and all web attackers) 18 months after its publication (technical details here).
In the Spike category, we find Joomla Remote Command Execution Vulnerability known as CVE-2015-8562 (more details here), like the cresting waves on a full moon night. Joomla RCE registered a peak of 250K RCE attack attempts during weeks 3-4.
Zooming-in to the distribution of attacking IPs in the Joomla spike in weeks 3-4 (figure 2 below) we see two IPs that are responsible for most of the attempts. Careful analysis of the behavior of these two attackers, shows two RCE campaigns residing on the extreme ends of the scale. The first IP mounted a massive targeted campaign on a single server, including more than 80% (or 200,000) of the attempts registered during these weeks.
On the other hand, the second IP mounted a blind scanning attack with 37,000 attempts on more than 200 web servers, most of them not even Joomla servers. The payloads used in most of the attacks look like reconnaissance attempts, searching for vulnerable servers.
Payload example, decodes to phpinfo();
User-Agent: }__test|O:21:”JDatabaseDriverMysqli”:3:{s:2:”fc”;O:17:”JSimplepieFactory”:0:{}s:21:”