Friday 21 March 2014

Hackers besiege PHP sites with 30,000 attacks hitting patched exploit

Malware cyber criminal
The number of cyber attacks targeting PHP sites using a known vulnerability has skyrocketed over the past six months, despite the availability of a patch fix for the exploit.
Security firm Imperva reported detecting a marked increase in the number of attacks targeting a vulnerability in PHP, which was patched in May 2012, in its Threat Advisory: PHP-CGI white paper.
"On October 2013, a public exploit in PHP was disclosed, the exploit uses a vulnerability found in May 2012 and categorised as CVE-2012-1823," read the report.
"Soon after the exploit was released, our honeypots have detected web servers being attacked with this exploit in different flavours. In the three first weeks following the publication we were able to record as many as 30,000 attack campaigns using the exploit."
PHP is a common coding language used by 82 percent of the world's websites. The Imperva researchers said since the exploit was detailed, attacks targeting it have also increased in sophistication.
"In previous cases, the attack relied on the server configuration to redirect all PHP files to PHP CGI and thus making it vulnerable to code leakage, code execution and more. The new attack however, tries to access the PHP CGI directly and hence must use the exact location of the PHP CGI executable," read the report.
The attacks reportedly utilised 43 different types of payload data, each of which are designed to connect the affected system to a botnet owned by the criminals. Imperva said the complexity of the attacks suggest they are being mounted by organised groups.
"Our experience shows that this level of sophistication is linked with industrialised crime, also known as bot herding," read the report.
"The attackers in this case, scan for servers that are exposed to the vulnerability (using PHP CGI from vulnerable versions) to infect them with their bot clients, thus transforming them into zombies, which receive commands from a command-and-control server under their control. These botnets are then sold or rented to the highest bidder."
The Imperva researchers highlighted how crucial the time between a vulnerability being found and a patch being released is. "It is a very intriguing point, to show that cyber criminals understand the serious gap that exists between the time that a vulnerability is found in the wild, to the time it gets reported then the time the vendor issues a patch," read the report.
The dangers resulting from publicly disclosing details about newly uncovered vulnerabilities has been a source of constant debate within the security community. Many researchers have argued that disclosing them helps hackers become aware of exploits they may otherwise have missed.
Paul Ducklin, senior security analyst at Sophos, told V3 in February that Microsoft's Windows XP support cut-off in April will inevitably lead to security issues, as updates to supported Windows versions will point hackers to previously undiscovered flaws in the older operating system.

No comments:

Post a Comment