CVE (Common Vulnerabilities and Exposures) is a list of publicly known cybersecurity vulnerabilities and exposures. Its purpose is to facilitate the sharing of data and to alert users of required actions to mitigate potential threats in the cyber world. Although the practice of alerting the public with new CVEs is a crucial component in contemporary cyber-security strategy, Cybersixgill has identified a common practice in the Dark Web underground which indicates that publishing CVEs could turn out to be a double-edged sword. From what we are seeing, cyber-threat-actors are continuously searching for new vulnerabilities and they invest considerable effort in finding ways to exploit these vulnerabilities.
For example, Cybersixgill‘s Dark-i Threat Intelligence Platform recently identified such a criminal behavior involving CVE-2018-7600. On March 28, 2018, Drupal, a back-end framework used by websites worldwide, confirmed that a highly critical vulnerability (CVE-2018-7600, nicknamed “Drupalgeddon2″) was affecting Drupal 8, 7,and 6 sites. Drupal explained that exploiting the vulnerability could have” a dramatic impact” on the site. It seems that this announcement alerted underground actors to the vulnerability and triggered discussions among threat-actors, who were seeking to exploit it before users had the chance to fix it.
A few days later, a proof-of-concept for exploiting CVE-2018-7600 was shared on GitHub for “educational or information purposes only”, causing a new wave of excitement on the Dark-Web. The discourse was fueled when more proof-of-concepts for exploiting CVE-2018-7600 were later shared on GitHub. Links to the code were distributed in underground forums specializing in vulnerability exploit and threat-actors advised each other how to use it. One threat-actor even advised his comrades on ways to exploit CVE-2018-7600 more efficiently using other malicious tools. We understood that these vulnerabilities mainly attracted interest from threat-actors who were looking to exploit them for Crypto-Mining and Web-Based Mining. For example, one threat-actor who wasn’t aware of ways to exploit Drupal sites before the CVE was released, was interested in using it to monetize a botnet he possessed.
Our findings imply that the underground world of cybercrime was not aware of the Drupal vulnerability until it became public. This fact is strengthened by Drupal’s acknowledgment that automated attack attempts on its sites were identified as late as April 11, when the underground discourse of the issue reached a peak. In our understanding, the CVE-2018-7600 case shows a downside of one of today’s cyber-security’s cornerstones, and provides a valuable lesson for users – that you are in a constant race against threat actors who want to exploit CVEs. As such, users should follow CVE announcements closely and immediately fix any “critical” CVE as soon as it goes public to mitigate the potential threats it creates.