Exploitation: Week 4 Information Assurance and Security 2
Exploitation: Week 4 Information Assurance and Security 2
WEEK 4
INFORMATION ASSURANCE AND SECURITY 2
EXPLOIT
• Based on popular usage of exploit terms, an exploit is referred to as a zero-day exploit when it is used to
attack a vulnerability that has been identified but not yet patched, also known as a zero-day
vulnerability.
• Exploits are often incorporated into malware, allowing them to propagate and run intricate routines on
vulnerable computers.
• Exploit kits are popular in the cybercriminal underground because they provide management consoles,
an array of exploits that target different applications, and several add-on functions that make it easier to
launch an attack.
• They were first offered in the Russian underground in 2006.
EVOLUTION OF EXPLOITS
YEAR EVENTS
2006 and earlier The Blaster worm was used to exploit network vulnerabilities in 2003.
Bot worms were he quickest to adapt to newly published exploits.
Windows MetaFile vulnerability (WMF) marked the trend of using exploits
targeting client-side vulnerabilities to drop malware into vulnerable systems.
2007 Exploits were designed to target software vulnerabilities in widely used
applications, e.g. multimedia players, office applications, and security programs.
2008 Cybercriminals sought out vulnerabilities to exploit using automated tools that
targeted poorly configured pages and sites.
SQL injection, cross-site scripting, and other web application vulnerabilities
became prevalent.
2009 Customized attacks were widespread, targeting multiple but specific platforms.
Cybercriminals made browser and OS detections part of attacks and allowed
exploits to run on targeted platforms.
Cybercriminals targeted vulnerabilities in mobile apps.
EVOLUTION OF EXPLOITS
YEAR EVENTS
2010 Compromised websites and drive-by attacks became prevalent.
Stuxnet used vulnerability exploits as part of its routine against SCADA systems.
2011 Mass SQL injection attacks targeted millions of web pages, including ASP.NET
sites.
Several novelty apps were found exploiting mobile vulnerabilities.
2012 Cybercriminals refined the Blackhole Exploit Kit, which was used in a number of
phishing campaigns.
Java became the most targeted program by exploit kits, moving the information
security industry to push to reduce its use.
2013 “Retired” software or those that no longer received support from their vendors
were ripe exploit targets in 2013, hitting Plesk software older than Parallels Plesk
Panel 9.5 and Java 6.
EVOLUTION OF EXPLOITS
YEAR EVENTS
2014 Several vulnerabilities in open-source environments were uncovered, including
Shellshock, Heartbleed, and Poodle.
2015 The Hacking Team breach resulted in the discovery of several zero-day
vulnerabilities in Adobe, Windows, and Java.
These same vulnerable platforms were also targeted using other zero-days in
Pawn Storm-a long-running cyberespionage campaign we’ve been monitoring
since 2014.
2016 Cybercriminals and security researchers discovered exploits in smart devices,
such as cars, toys, and home security systems.
LET’S MEET LINUX
FIGURE 1. THE PERCENTAGE OF LINUX AND WINDOWS
WORKLOADS PROTECTED
FIGURE 2. THE PERCENTAGE OF VARIOUS LINUX
DISTRIBUTIONS ACROSS WORKLOADS PROTECTED
TOP LINUX THREATS
Protected against the vulnerabilities via its virtual patching, Vulnerability shielding,
And exploit blocking features.
VULNERABILITIES CVE SEVERITY
Apache Struts2 remote code execution (RCE) vulnerability CVE-2017-5638 Critical
Apache Struts 2 REST plugin Xstream RCE vulnerability CVE-2017-9805 High
Drupal Core RCE vulnerability CVE-2018-7600 Critical
Oracle WebLogic server RCE vulnerabilities CVE-2020-14750 Critical
WordPress file manager plugin RCE vulnerability CVE-2020-25213 Critical
vBulletin ‘subwidgetConfig’ unauthenticated RCE vulnerability CVE-2020-11651 Critical
SaltStack salt authorization weakness vulnerability CVE-2020-11651 Critical
Apache Struts OGNL expression RCE vulnerability CVE-2017-12611 Critical
Eclipse Jetty chunk length parsing integer overflow vulnerability CVE-2017-7657 Critical
TOOLS DESCRIPTION
Iptables A rule-based firewall utility can be used to set up, maintain, and inspect the tables of IP packet filter rules in the
Linux kernel.
seccomp Secure computing mode is a popular Linux kernel security feature that restricts access to system calls by processes.
This means that seccomp can filer syscalls and allow or limit which syscalls can be executed in the system.
AppArmor Mandatory Access Control (MAC) security system for Linux applications. It uses program profiles to restrict the
capabilities of individual programs.
SELinux Security-Enhanced Linux is an application of a hardened MAC designed to meet various security requirements. It
applies security labels to objects and evaluates all security-relevant interactions via the security policy.
grsecurity This is an extensive set of security enhancements for the Linux kernel that uses role-based access control, memory
corruption-based exploit prevention, and a host of other system hardening features that defend against a wide
range of security threats. These patches are used to check remote connections from untrusted locations, such as
web servers and systems offering shell access to their users.
PaX Adds intrusion prevention mechanisms to the Linux kernel, which reduce the risks posed by exploitable memory
corruption bugs.