An analysis of proof-of-concept (PoC) exploits shared online over the last year has shown that social media is the main distribution channel for PoCs, according to threat intelligence firm Recorded Future.
PoCs are developed by both researchers and threat actors — in many cases to demonstrate the existence of a software vulnerability and to show that it’s exploitable.
A search on Recorded Future’s threat intelligence platform uncovered roughly 12,000 PoC exploit references shared on the Web since March 22, 2015. The company says this represents a near 200 percent increase compared to the previous year.
A large majority of the PoCs identified by researchers were disseminated via social media networks — primarily Twitter. In 97 percent of cases, social media has been used to share links to code repositories, paste sites, other social media networks, and deep Web forums hosting the actual PoC code. In some cases, PoC exploit references were found on code repositories, mainstream sites, blogs, forums, malware and vulnerability reporting websites, and paste sites.
The PoCs targeted technologies such as Android, DNS, SSH, FTP and OpenSSL, and products like Android phones, Windows, Linux, Internet Explorer and Firefox.
The most widely distributed PoC was for CVE-2015-7547, a serious remote code execution vulnerability in the glibc library. The flaw affects numerous products, including ones from Siemens and VMware.
The top 10 list also includes Windows Server vulnerabilities (CVE-2015-1635, CVE-2016-0051, CVE-2015-1635), the VM escape flaw known as VENOM, the Stagefright bug in Android, and a Linux kernel vulnerability disclosed in January. The most popular types of vulnerabilities for which PoCs have been developed are buffer overflows and privilege escalations, which is not surprising considering that these flaws can be highly valuable.
“In terms of technology to defend — Windows Servers should, and probably do, keep network defenders up at night. In addition, mobile phones have (hello to our old friends, Stagefright and remote access trojans) become increasingly popular targets for POC development,” said Nick Espinoza, the author of the Recorded Future report on PoCs.
“Researchers and malicious actors focus their time on developing POCs for Web servers/services and consumer products in the Microsoft Office suite, Microsoft IE, etc. These are used across the commercial, consumer, and government sector widely,” Espinoza added.
Related Reading: ICS Flaw Disclosures at High Levels Since Stuxnet Attack