Security researchers at F5 Networks constantly monitor web traffic at various locations all over the world. This allows us to detect “in the wild” malware, and to get an insight into the current threat landscape. Unlike in recent months when the focus was on deploying cryptominers, September’s threat actors were detected trying to exploit newer vulnerabilities that could lead to Remote Code Execution (RCE). New campaigns in September were up 20% from August.
Here’s an overview of the new threat activity we saw in September 2019:
- An active exploitation campaign targeting vBulletin servers vulnerable to an RCE vulnerability (CVE-2019-16759).
- A reconnaissance campaign targeting Fortinet SSL VPN servers vulnerable to a FortiOS system file leak vulnerability (CVE-2018-13379).
- In addition to these, we also detected the following notable campaigns targeting a variety of existing vulnerabilities:
- Bash ShellShock (CVE-2014-6271): This campaign aims to first identify web servers vulnerable to the ShellShock vulnerability. The threat actor then instructs the server to download and execute an Internet Relay Chat (IRC) bot malware.
- Drupal Drupalgeddon2 RCE (CVE-2018-7600): This campaign first aims to identify Drupal web servers vulnerable to a Drupalgeddon2 RCE vulnerability. The threat actor then instructs the server to download and execute a malicious file.
- JBoss ReadOnlyAccessFilter of HTTP Invoker Deserialization (CVE-2017-12149): This campaign aims to identify Windows-based JBoss application servers vulnerable to a JBoss ReadOnlyAccessFilter of HTTP Invoker Deserialization vulnerability. The threat actor then instructs the server to download and execute a malicious file.
- Oracle WebLogic WLS Security Component RCE (CVE-2017-10271): This campaign aims to identify WebLogic servers vulnerable to Oracle WebLogic WLS Security Component RCE vulnerability. In order to conduct reconnaissance, the threat actor instructs the server to create a text file in the web folder. This is the first step in a larger attack effort.
vBulletin Remote Code Execution (CVE-2019-16759)
On September 23, 2019, an anonymous researcher posted on SecLists.org a proof-of-concept (PoC) zero-day exploitZero-day vulnerabilities are those that are unknown or unaddressed by the vendor. targeting servers running vBulletin (v5.0.0-v5.5.4) content management system (CMS).1 The researcher simply published the PoC without indicating whether he or she had attempted to contact vBulletin or follow a responsible disclosure process. With the exploit PoC being available, threat actors wasted no time trying to exploit this vulnerability. According to ZoomEye, threat actors had plenty of targets since over 20,000 servers worldwide are running vBulletin CMS.
Initial Request and Vulnerability Analysis
Since the vulnerability was a zero-day and the exploit was posted without warning, it took vBulletin maintainers more than 24 hours to post a public announcement1 that a patch was available.
Before the patch was available, F5 researchers detected at least one malicious actor targeting this vulnerability. The actor used a unique method, crafting an HTTP POST request that patched the vulnerability by adding a password. This ensured that the vulnerability could only be exploited if a request contained the password set by the threat actor.