EXPLOITATION

WEEK 4
INFORMATION ASSURANCE AND SECURITY 2
EXPLOIT

Is a code that takes advantage of a software vulnerability or security flaw.

It is written either by security researchers as a proof-of-concept threat or by malicious actors for use in
their operations.
When used, exploits allow an intruder to remotely access a network and gain elevated privileges, or move
deeper into the network.
It can be used as part of a multi-component attack. Instead of using a malicious file, the exploit may instead
drop another malware, which can include backdoor Trojans and spyware that can steal user information
from the infected systems.
ZERO-DAY EXPLOITS

• Based on popular usage of exploit terms, an exploit is referred to as a zero-day exploit when it is used to
attack a vulnerability that has been identified but not yet patched, also known as a zero-day
vulnerability.
• Exploits are often incorporated into malware, allowing them to propagate and run intricate routines on
vulnerable computers.
• Exploit kits are popular in the cybercriminal underground because they provide management consoles,
an array of exploits that target different applications, and several add-on functions that make it easier to
launch an attack.
• They were first offered in the Russian underground in 2006.
EVOLUTION OF EXPLOITS
YEAR EVENTS
2006 and earlier The Blaster worm was used to exploit network vulnerabilities in 2003.
Bot worms were he quickest to adapt to newly published exploits.
Windows MetaFile vulnerability (WMF) marked the trend of using exploits
targeting client-side vulnerabilities to drop malware into vulnerable systems.
2007 Exploits were designed to target software vulnerabilities in widely used
applications, e.g. multimedia players, office applications, and security programs.
2008 Cybercriminals sought out vulnerabilities to exploit using automated tools that
targeted poorly configured pages and sites.
SQL injection, cross-site scripting, and other web application vulnerabilities
became prevalent.
2009 Customized attacks were widespread, targeting multiple but specific platforms.
Cybercriminals made browser and OS detections part of attacks and allowed
exploits to run on targeted platforms.
Cybercriminals targeted vulnerabilities in mobile apps.
EVOLUTION OF EXPLOITS
YEAR EVENTS
2010 Compromised websites and drive-by attacks became prevalent.
Stuxnet used vulnerability exploits as part of its routine against SCADA systems.
2011 Mass SQL injection attacks targeted millions of web pages, including ASP.NET
sites.
Several novelty apps were found exploiting mobile vulnerabilities.
2012 Cybercriminals refined the Blackhole Exploit Kit, which was used in a number of
phishing campaigns.
Java became the most targeted program by exploit kits, moving the information
security industry to push to reduce its use.
2013 “Retired” software or those that no longer received support from their vendors
were ripe exploit targets in 2013, hitting Plesk software older than Parallels Plesk
Panel 9.5 and Java 6.
EVOLUTION OF EXPLOITS
YEAR EVENTS
2014 Several vulnerabilities in open-source environments were uncovered, including
Shellshock, Heartbleed, and Poodle.
2015 The Hacking Team breach resulted in the discovery of several zero-day
vulnerabilities in Adobe, Windows, and Java.
These same vulnerable platforms were also targeted using other zero-days in
Pawn Storm-a long-running cyberespionage campaign we’ve been monitoring
since 2014.
2016 Cybercriminals and security researchers discovered exploits in smart devices,
such as cars, toys, and home security systems.
LET’S MEET LINUX
FIGURE 1. THE PERCENTAGE OF LINUX AND WINDOWS
WORKLOADS PROTECTED 
 FIGURE 2. THE PERCENTAGE OF VARIOUS LINUX
DISTRIBUTIONS ACROSS WORKLOADS PROTECTED
TOP LINUX THREATS

Top threats types affecting

Linux servers from
January 1, 2021
To June 30, 2021.
Some Windows-based malware
Families made the list,
Which means that Linux servers
Act as a storage
Or command-and-control server
For Windows malware.
TOP LINUX DISTRIBUTIONS

Top four Linux distributions where

The top threat types in Linux systems
Were found in the first half of 2021.
TOP LINUX AND UNIX FLAVORS THAT REPORTED EVENTS
INTO THIS DATASET BY VOLUME

Volume of IPS events

sorted by operating system in 1H 2021
TOP 15 VULNERABILITIES WITH KNOWN EXPLOITS OR PROOFS OF CONCEPT

Protected against the vulnerabilities via its virtual patching, Vulnerability shielding,
And exploit blocking features.
VULNERABILITIES CVE SEVERITY
Apache Struts2 remote code execution (RCE) vulnerability CVE-2017-5638 Critical
Apache Struts 2 REST plugin Xstream RCE vulnerability CVE-2017-9805 High
Drupal Core RCE vulnerability CVE-2018-7600 Critical
Oracle WebLogic server RCE vulnerabilities CVE-2020-14750 Critical
WordPress file manager plugin RCE vulnerability CVE-2020-25213 Critical
vBulletin ‘subwidgetConfig’ unauthenticated RCE vulnerability CVE-2020-11651 Critical
SaltStack salt authorization weakness vulnerability CVE-2020-11651 Critical
Apache Struts OGNL expression RCE vulnerability CVE-2017-12611 Critical
Eclipse Jetty chunk length parsing integer overflow vulnerability CVE-2017-7657 Critical

RCE – Remoted Code Execution

 TOP 15 VULNERABILITIES WITH KNOWN EXPLOITS OR PROOFS OF CONCEPT

VULNERABILITIES CVE SEVERITY

Alibaba Nacos AuthFilter CVE-2021-29441 Critical

authentication bypass vulnerability

Atlassian Jira information disclosure CVE-2020-14179 Medium

vulnerability

Nginx crafted URI string handling CVE-2013-4547 N/A

access restriction bypass vulnerability
Apache Struts 2 RCE vulnerability CVE-2019-0230 Critical

Apache Struts OGNL expression RCE CVE-2018-11776 High

vulnerability

Liferay portal untrusted deserialization CVE-2020-7961 Critical

vulnerability
THE PERCENTAGE OF WEB-BASED AND NON-
WEB BASED ATTACKS IN THE FIRST HALF OF
2021
 HOW TO SECURE LINUX USING NATIVE LINUX TOOLS AND CONFIGURATIONS

TOOLS DESCRIPTION

Iptables A rule-based firewall utility can be used to set up, maintain, and inspect the tables of IP packet filter rules in the
Linux kernel.

seccomp Secure computing mode is a popular Linux kernel security feature that restricts access to system calls by processes.
This means that seccomp can filer syscalls and allow or limit which syscalls can be executed in the system.

AppArmor Mandatory Access Control (MAC) security system for Linux applications. It uses program profiles to restrict the
capabilities of individual programs.

SELinux Security-Enhanced Linux is an application of a hardened MAC designed to meet various security requirements. It
applies security labels to objects and evaluates all security-relevant interactions via the security policy.

grsecurity This is an extensive set of security enhancements for the Linux kernel that uses role-based access control, memory
corruption-based exploit prevention, and a host of other system hardening features that defend against a wide
range of security threats. These patches are used to check remote connections from untrusted locations, such as
web servers and systems offering shell access to their users.

PaX Adds intrusion prevention mechanisms to the Linux kernel, which reduce the risks posed by exploitable memory
corruption bugs.