Hackers use PoC exploits in attacks 22 minutes after release
Summary:
According to Cloudflare's 2024 Application Security report, threat actors are increasingly quick to weaponize available proof-of-concept (PoC) exploits, sometimes within just 22 minutes of their public release. Covering activity from May 2023 to March 2024, the report highlights several emerging threat trends. Cloudflare, which processes an average of 57 million HTTP requests per second, has observed heightened scanning activity for disclosed CVEs, followed by command injections and attempts to weaponize available PoCs. The most targeted vulnerabilities during this period included CVE-2023-50164 and CVE-2022-33891 in Apache products, CVE-2023-29298, CVE-2023-38203, and CVE-2023-26360 in Coldfusion, and CVE-2023-35082 in MobileIron.
A striking example of the rise in exploitation speed is CVE-2024-27198, an authentication bypass flaw in JetBrains TeamCity. Cloudflare observed an attacker deploying a PoC-based exploit just 22 minutes after its publication, leaving defenders with virtually no margin for remediation. This rapid exploitation underscores the critical need for advanced defensive measures.
During the examined period, Cloudflare also noted DNS hijacks targeting crypto platforms registered with Squarespace. This further emphasizes the diverse range of attack vectors that threat actors are leveraging.
Another staggering highlight in the report is that 6.8% of all daily internet traffic is attributed to distributed denial of service (DDoS) attacks, aimed at rendering online applications and services unavailable to legitimate users. This is an increase from the 6% recorded in the previous 12-month period (2022-2023), reflecting a rise in the overall volume of DDoS attacks. During large global attack events, malicious traffic may account for as much as 12% of all HTTP traffic. In Q1 2024 alone, Cloudflare blocked an average of 209 billion cyber threats each day, marking an 86.6% year-over-year increase.
Security Officer Comments:
Cloudflare also points out that specific threat actors specialize in certain CVE categories and products, developing a deep understanding of how to quickly exploit new vulnerability disclosures. This specialization allows them to take advantage of new vulnerabilities almost immediately after they are disclosed. The full report, available as a PDF, provides additional recommendations for defenders and deeper insights into the compiled statistics, offering a comprehensive view of the current threat landscape and the necessary measures to counteract these evolving threats.
Suggested Corrections:
To combat this rapid exploitation, Cloudflare emphasizes the necessity of employing AI assistance to quickly develop effective detection rules. The report explains that the speed of exploitation of disclosed CVEs often surpasses the speed at which humans can create web application firewall (WAF) rules or develop and deploy patches. This applies even to Cloudflare's own internal security analyst team that maintains the WAF Managed Ruleset. Consequently, they have combined human-written signatures with a machine learning-based approach to achieve the best balance between low false positives and rapid response.
Link(s):
https://www.bleepingcomputer.com/ne...exploits-in-attacks-22-minutes-after-release/
According to Cloudflare's 2024 Application Security report, threat actors are increasingly quick to weaponize available proof-of-concept (PoC) exploits, sometimes within just 22 minutes of their public release. Covering activity from May 2023 to March 2024, the report highlights several emerging threat trends. Cloudflare, which processes an average of 57 million HTTP requests per second, has observed heightened scanning activity for disclosed CVEs, followed by command injections and attempts to weaponize available PoCs. The most targeted vulnerabilities during this period included CVE-2023-50164 and CVE-2022-33891 in Apache products, CVE-2023-29298, CVE-2023-38203, and CVE-2023-26360 in Coldfusion, and CVE-2023-35082 in MobileIron.
A striking example of the rise in exploitation speed is CVE-2024-27198, an authentication bypass flaw in JetBrains TeamCity. Cloudflare observed an attacker deploying a PoC-based exploit just 22 minutes after its publication, leaving defenders with virtually no margin for remediation. This rapid exploitation underscores the critical need for advanced defensive measures.
During the examined period, Cloudflare also noted DNS hijacks targeting crypto platforms registered with Squarespace. This further emphasizes the diverse range of attack vectors that threat actors are leveraging.
Another staggering highlight in the report is that 6.8% of all daily internet traffic is attributed to distributed denial of service (DDoS) attacks, aimed at rendering online applications and services unavailable to legitimate users. This is an increase from the 6% recorded in the previous 12-month period (2022-2023), reflecting a rise in the overall volume of DDoS attacks. During large global attack events, malicious traffic may account for as much as 12% of all HTTP traffic. In Q1 2024 alone, Cloudflare blocked an average of 209 billion cyber threats each day, marking an 86.6% year-over-year increase.
Security Officer Comments:
Cloudflare also points out that specific threat actors specialize in certain CVE categories and products, developing a deep understanding of how to quickly exploit new vulnerability disclosures. This specialization allows them to take advantage of new vulnerabilities almost immediately after they are disclosed. The full report, available as a PDF, provides additional recommendations for defenders and deeper insights into the compiled statistics, offering a comprehensive view of the current threat landscape and the necessary measures to counteract these evolving threats.
Suggested Corrections:
To combat this rapid exploitation, Cloudflare emphasizes the necessity of employing AI assistance to quickly develop effective detection rules. The report explains that the speed of exploitation of disclosed CVEs often surpasses the speed at which humans can create web application firewall (WAF) rules or develop and deploy patches. This applies even to Cloudflare's own internal security analyst team that maintains the WAF Managed Ruleset. Consequently, they have combined human-written signatures with a machine learning-based approach to achieve the best balance between low false positives and rapid response.
Link(s):
https://www.bleepingcomputer.com/ne...exploits-in-attacks-22-minutes-after-release/