Security researchers at F5 Networks constantly monitor web traffic at various locations all over the world. This allows us to detect “in the wild” malware, and to get an insight into the current threat landscape.
Here’s an overview of the new threat activity we saw in October 2019. Attack campaigns were up 40% from September.
- Two campaigns targeting vBulletin servers vulnerable to Remote Code Execution (RCE) vulnerability (CVE-2019-16759).
- Four campaigns targeting Oracle WebLogic servers vulnerable to WLS Security Component Remote Code Execution (RCE) vulnerability (CVE-2017-10271).
- In addition to these campaigns, the following were also detected:
- FortiOS system file leak vulnerability (CVE-2018-13379). This campaign aims to identify vulnerable Fortinet SSL VPN servers.
- ElasticSearch Search Groovy Sandbox Bypass (CVE-2015-1427). This campaign aims to exploit ElasticSearch servers vulnerable to ElasticSearch Groovy Scripting Engine Sandbox Security Bypass Vulnerability (CVE-2015-1427). The threat actor instructs the server to download and execute a malicious file.
- ThinkPHP Remote Code Execution (CVE-2018-10225). The threat actor instructs the server to download and execute a DDoS malware.
- JBoss ReadOnlyAccessFilter of HTTP Invoker Deserialization (CVE-2017-12149). This campaign aims to identify Windows-based JBoss servers vulnerable to JBoss ReadOnlyAccessFilter of HTTP Invoker Deserialization vulnerability. The threat actor instructs the server to download and execute a malicious file.
vBulletin Remote Code Execution (CVE-2019-16759)
In our September monthly wrap-up we discussed a new zero-day vulnerability affecting servers that run vBulletin. In October, we saw multiple threat actors running campaigns to exploit these vulnerable servers.
Some background on this vulnerability: On September 23, an anonymous researcher posted a Proof-of-concept (PoC) zero-day exploit on SecLists.org. The exploit targeted servers that run vBulletin (v5.0.0 - v5.5.4) CMS. The anonymous researcher did not indicate whether he or she tried to contact vBulletin maintainers to follow a responsible disclosure process. However, once the exploit PoC was available, threat actors wasted no time trying to exploit this vulnerability. We analyzed that vBulletin vulnerability in a previous article in this series.
According to ZoomEye, the number of websites using vBulletin has declined (see Figure 1). In our September monthly wrap-up, we noted that the total number of sites using vBulletin was 20,211. Running the scan again in November, we found that the number had dropped to 19,871 vulnerable instances.
This vulnerability continues to be seen in new campaigns and targeted in different ways. To accompany September’s analysis, we’re presenting new analysis here on a different attack campaign targeting the same vulnerability. In October, threat actors were very focused on executing commands remotely.
Initial Request
To exploit this vulnerability, a threat actor needs to send a POST request to a vulnerable vBulletin server. The content of the POST request should look like this:
routestring=ajax/render/widget_php&widgetConfig[code]=CODE_TO_BE_EXECUTED.
Therefore, the payload to exploit this vulnerability is in the widgetConfig[code] parameter. The full post request is shown in Figure 2.