September 13, 2016 By Douglas Bonderud 2 min read

When opportunity knocks, malicious actors are quick to answer. Sometimes they’re met with a locked door after vulnerabilities are patched and security holes sealed. On other occasions, they slip through corporate defenses to wreak havoc.

Attackers Cash In on Vulnerability Report

When a recent vulnerability report from security firm Rapid7 detailed 13 problems with popular network management systems (NMSs), researchers observed a sudden spike in activity on ports using the simple network management protocol (SNMP) as attackers went looking for possible weak spots, Softpedia reported.

On one hand, it’s a job well done. On the other, this hunt is worrisome. Does the need to report vulnerabilities outstrip the potential repercussions of attacker interest?

The Network Nuisance

According to Dark Reading, flaws were found in nine vendor products, including those from Spiceworks, Castle Rock, Opsview and Netikus. All vendors were notified and the vulnerabilities subsequently patched. Rapid7 noted that all the issues stemmed from a lack of machine-to-machine input oversight, in turn making the products susceptible to simple cross-site scripting (XSS) attacks.

It works like this: Cybercriminals hide malicious code in malformed SNMP packets, which are then executed inside the NMS tools, giving attackers a birds-eye view of network-attached components such as servers, routers, printers and firewalls. Once behind corporate lines, attackers can take their time zeroing in on high-value targets, such as payroll-processing PCs or human resources servers that may hold valuable employee data.

It’s no surprise that Rapid7’s disclosure of 13 key vulnerabilities had attackers scrambling to find potential loopholes in new patches or other weak spots that security researchers missed. As Softpedia noted, the Internet Storm Center (ISC) tracked a huge uptick in activity on port 161, which is used by SNMP on honeypot servers.

While there are no reports of any successful attacks on the newly patched NMS after the report dropped, it’s clear that cybercriminals aren’t just groping in the dark — they’re reading security news briefs to see where and when attacks will have the highest chance of success.

The Disclosure Dissonance

Ultimately, it comes down to a discussion of disclosure. Should independent researchers, companies and federal agencies immediately report their findings, even if they represent a potential threat? Common wisdom says to follow Rapid7’s path: Notify the vendors involved, develop a fix and then release the data.

But what if the vendor isn’t willing to talk or won’t acknowledge the problem? What if there’s a massive zero-day threat on the horizon but no developed method of defense?

As noted by Network World, for example, the National Security Agency (NSA) prefers to keep zero-day issues close to the chest, in part as back doors in case of emergency. But this opens up the avenue of extra-country exploitation: What if outside agencies are leveraging the same vulnerabilities that were never made public, and therefore never fixed?

Balancing Act

The Rapid7 vulnerability report speaks to the need for preparation. It’s no longer sufficient to simply find problems and make them public or file a passive report with the product vendor. Security companies must now engage in both the discourse of security defense and be prepared, if necessary, to release flawed files if no resolution is forthcoming.

Put simply, it’s a balancing act. Disclose too early, and attackers have a head start. Disclose too late, and they’ve already been leveraging the vulnerabilities for months. Get it just right, however, and attackers run into honeypots while legitimate security professionals find ways to shore up critical systems.

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today