Avatar

In this episode of ThreatWise TV, Brandon Stultz and Nick Mavis not only provide a great overview of Snort 3.0, but they also touch on the kind of vulnerabilities that tend to trigger the most Snort signatures.

Around 1½ years ago we looked at what Snort was seeing on Cisco Secure Firewall appliances. Given the rapid changes that can take place in the threat landscape, we decided to revisit the data set alongside this episode of ThreatWise TV to see how the landscape has shifted. Or has it? Let’s dig into the data and find out.

Our approach

Let’s briefly touch on how we’ve approached this data. Unless otherwise specified, we’re looking at January through December 2022. As we did last time, if a rule triggers at a particular organization, then we count that organization only once. Not only does this reduce noise from very active rules, but we can also say that X percent of organizations encountered a particular rule. (For more detail see the Methodology section below.)

Easy as rolling off a Log4Shell

As Nick and Brandon mentioned, attackers have been “spraying” Log4J exploits at anything and everything to find vulnerable systems. And it shows. Not only have Log4J-related rule alerts outpaced all other alerts in 2022, no other rule or exploit has come close to hitting as many organizations during either period we examined.

Just how prevalent was Log4J? In 2022, 72 percent of organizations had Log4J Snort rules alert on their firewall. Of course, the volume of attacks can vary. Several organizations saw millions of alerts, while others saw only a handful. Naturally several factors can influence the volume, but the typical organization saw around 110 Log4J alerts each month in 2022. This roughly translates to 3-4 exploit attempts per day.

Blasts from the past

Looking at the list of other exploits seen feels in some ways like reading a greatest hits playlist. Many of these five, six, even nine-year-old vulnerabilities made the list the last time we looked at the data. Vulnerabilities in PHPUnit, JBoss, and a variety of routers, along with the Shellshock vulnerability, all made repeat appearances.

Rules Description CVEs (if applicable)
45749 PHPUnit PHP remote code execution attempt CVE-2017-9841
31976,
31977,
31978
32041,
32042,
32043
Bash CGI environment variable injection attempt CVE-2014-7169
CVE-2014-6278
CVE-2014-6277
CVE-2014-6271
34300 D-Link multiple products HNAP SOAPAction header command injection attempt CVE-2015-2051
46624 GPON Router authentication bypass and command injection attempt CVE-2018-10562
24343 JBoss JMXInvokerServlet access attempt CVE-2013-2185
CVE-2007-1036
44687 Netgear DGN1000 series routers authentication bypass attempt
30790,
30791,
30792
30793,
59416
Java ClassLoader access attempt CVE-2022-22965
CVE-2014-0114
CVE-2014-0094

A new entry worthy of mention is a vulnerability in the Java Spring framework, dubbed Spring4Shell. This vulnerability was disclosed in April 2022, but despite the similarity in naming and being a flaw in a widely used library, the conditions required for exploitation are far narrower, limiting its impact in comparison to Log4J. Nevertheless, based on our Snort telemetry, bad actors are indeed trying their hand at exploiting it—almost half of all organizations saw alerts for this vulnerability.

Trying something new

One question that arose after seeing the prominence of Log4J, and the presence of Spring4Shell, was whether newer vulnerabilities were alerting more frequently than the last time we looked at the data.

To answer this question, we looked at rules seen by at least 25 percent of organizations over similar time frames in 2021 and 2022—Q2-Q3 of each year. Then we counted the number of CVEs from that year and the year prior, which we classified as “new.”

So which time frame saw more new CVEs? For the period we looked at in 2021, 21 percent of the CVEs seen were new. However, in 2022 that number rose to 30 percent. This gives the appearance that bad actors are trying out newer exploits more frequently than they had previously.

Some of the new vulnerabilities seen are in applications such as Confluence, Apache HTTP Server, VMware, and Microsoft Exchange. An additional Spring framework vulnerability also makes the list.

Rules Description CVEs (if applicable)
59934,
59948
Atlassian Confluence OGNL expression injection attempt CVE-2022-26134
30790,
30791,
30792
30793,
59416
Java ClassLoader access attempt CVE-2022-22965
59388 Spring Cloud Gateway Spring Expression Language injection attempt CVE-2022-22963
59824 VMware Workspace ONE Access server side template injection attempt CVE-2022-22954
58722,
58723,
58724
58725,
58726,
58727
58728,
58729,
58730
58731,
58732,
58733
58734,
58735,
58736
58737,
58738,
58739
58740,
58741,
58742
58743,
58744,
58751
58784,
58785,
58787
58788,
58795,
58801
59246
Apache Log4j logging remote code execution attempt CVE-2021-45105
CVE-2021-45046
CVE-2021-44832
CVE-2021-44228
58276 Apache HTTP Server httpd directory traversal attempt CVE-2021-42013
CVE-2021-41773
57907 Microsoft Exchange autodiscover server side request forgery attempt CVE-2021-34523
CVE-2021-34473
CVE-2021-31207
57244 Microsoft Exchange Server server side request forgery attempt CVE-2021-26855
57720 VMWare vSphere Client remote code execution attempt CVE-2021-21985

MIRTE ATT&CK

Let’s take another look at the MITRE ATT&CK tactics and techniques.

Tactic Percent of
organizations
Techniques seen
(in order of frequency)
Initial Access
[TA0001]
91.0% Exploit Public-Facing Application
[T1190]
Drive-by Compromise [T1189]
Valid Accounts [T1178]
Execution
[TA0002]
76.7% User Execution [T1204]
Shared Modules [T1129]
Native API [T1106]
Command and Scripting Interpreter
[T1059]
Exploitation for Client Execution
[T1203]
Command & Control
[TA0011]
76.3% Web Service [T1102]
Non-Application Layer Protocol [T1095]
Application Layer Protocol [T1071]
Remote Access Software [T1219]
Privilege Escalation
[TA0004]
58.0% Exploitation for Privilege Escalation
[T1086]
Access Token Manipulation [T1134]
Valid Accounts [T1078]
Collection
[TA0009]
49.2% Data from Local System [T1005]
Audio Capture [T1123]
Discovery
[TA0007]
43.3% File and Directory Discovery [T1083]
Credential Access
[TA0006]
40.7% OS Credential Dumping [T1003]
Unsecured Credentials [T1552]
Defense Evasion
[TA0005]
37.5% Access Token Manipulation [T1134]
Valid Accounts [T1078]
Persistence
[TA0003]
36.5% Valid Accounts [T1078]
Server Software Component [T1505]
Account Manipulation [T1098]
Browser Extensions [T1176]
Create or Modify System Process [T1543]
Hijack Execution Flow [T1574]
External Remote Services [T1133]
Impact
[TA0040]
28.3% Resource Hijacking [T1496]

As was the case before, Snort sees alerts on more Initial Access tactics than any other tactic. Log4J played a big part of this, falling under the Exploit Public-Facing Application technique. The Shellshock exploit, and many of the new CVEs mentioned previously, also appear here.

Execution tactics were the second-most encountered type of alert. Spring4Shell features in this tactic, as do exploits in applications such as Drupal, WordPress, and Apache Struts.

Organizations saw an increase in Command-and-Control tactic alerts since the last time we looked at the data. Well-known threats such as Mirai, AveMaria, Remcos, and Chopper were some of the most commonly seen.

Snort categories

Finally, let’s look at a few of the Snort categories that saw the most alerts.

Rules Rule Description CVEs (if applicable)
58722,
58723,
58724
58725,
58726,
58727
58728,
58729,
58730
58731,
58732,
58733
58734,
58735,
58736
58737,
58738,
58739
58740,
58741,
58742
58743,
58744,
58751
58784,
58785,
58787
58788,
58795,
58801
59246
Apache Log4j logging remote code execution attempt CVE-2021-45105
CVE-2021-45046
CVE-2021-44832
CVE-2021-44228
30524 OpenSSL TLSv1.1 heartbeat read overrun attempt CVE-2014-0160
60725,
60726
Fortinet FortiOS and FortiProxy authentication bypass attempt CVE-2022-40684
CVE-2022-40685

It comes as no surprise that Log4J is top of the list, though the Heartbleed exploit falls into this category as well. A new exploit in Fortinet applications also appears in this category.

Rules Rule Description CVEs (if applicable)
45749 PHPUnit PHP remote code execution attempt CVE-2017-9841
34300 D-Link multiple products HNAP SOAPAction header command injection attempt CVE-2015-2051
46624 GPON Router authentication bypass and command injection attempt CVE-2018-10562
24343,
24342,
21516
21517
JBoss JMXInvokerServlet access attempt CVE-2013-2185
CVE-2007-1036
44687 Netgear DGN1000 series routers authentication bypass attempt
58276 Apache HTTP Server httpd directory traversal attempt CVE-2021-41773
CVE-2021-42013
57907 Microsoft Exchange autodiscover server side request forgery attempt CVE-2021-31207
CVE-2021-34523
CVE-2021-34473

Many of the exploits against web applications highlighted last time continue to be used. However, two new exploits affecting Apache HTTP and Microsoft Exchange servers are part of this category.

Rules Rule Description CVEs (if applicable)
58992 User-Agent known malicious user-agent string – Mirai
53856 Embedded.Exploit.Hoaxcalls variant outbound connection
58115 Win.Trojan.AveMaria variant outbound connection
47299 Win.Trojan.Remcos variant outbound connection
37245 Win.Backdoor.Chopper web shell connection

This category saw an increase in activity compared to the last time we looked at this data. Almost 60 percent of organizations saw alerts for CNC traffic, up from 49 percent last time.

Conclusions

So, what does this analysis tell us about the attacks Snort is detecting?

It’s hard to ignore the impact that Log4J has had. This series of exploits dominated in 2022. And since attackers are still deploying years-old vulnerabilities—as the data has shown—Log4J will continue to stick around for years to come.

Perhaps emboldened by Log4J, it appears that attackers are attempting to use more recent vulnerabilities than they have in the past. True, many older exploit attempts have been seen, but the rise in alerts for newer ones is a potential shift in behavior that will make vulnerability assessment an even more important part of a strong security posture.

Addressing initial access attempts made against publicly facing applications is arguably the most important tactic and technique to address here. True, having a good firewall in place can alert on many of these attacks, but it’s equally important to keep those applications patched and carefully assess what is publicly accessible and what isn’t. If it isn’t necessary to have a service public-facing, don’t take the risk.

Using Snort and Cisco Secure Firewall

Snort is an open-source intrusion prevention system (IPS) that uses rules to detect malicious network activity. These rules are distributed through two sets, the Community Rule Set and the Snort Subscriber Rule Set. The former is developed by the Snort community, while the latter is developed and approved by Talos Intelligence. Both rule sets are QAed by Talos.

Cisco leverages the Snort detection engine and Snort Subscriber Rule Set in Cisco Secure Firewall. The Secure Firewall portfolio delivers greater protections for your network against an increasingly evolving and complex set of threats. With Cisco, you’re investing in a foundation for security that is both agile and integrated, leading to a strong security posture.

Our upcoming Cisco Secure Firewall 4200 appliance and 7.4 OS raises the bar for performance, security, and connectivity. Detect threats faster with a 4x throughput increase and the support of up to 200GE interfaces in a single rack unit. Cisco Secure Firewall 4200 Series delivers faster threat detection with superior visibility, providing the agility to safeguard large enterprises, campuses, and datacenters with a smaller footprint.

Methodology

For the most part we’ve used the same methodology as we did when we first looked at Snort data in October 2021. The product telemetry comes from organizations that have shared Cisco Secure Firewall data on an opt-in basis. This data has been anonymized and aggregated prior to analysis.

This analysis looks at the standard text rules and Shared Object rules in Snort, both provided by Talos. Of these rules, we’re filtering the rules on policies 1-3 described in the Snort FAQ. Since most deployments utilize one of these policies, this gives a clearer picture of what most organizations are facing, while also filtering out most false positives.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Ben Nahorney

Threat Intelligence Analyst

Cisco Security