Cybersecurity

Monday Vigilance Report

Japan’s Vulnerable PHP Installations

Kirt Cathey, ECSA, CISSP, CISM, CISA, CIA

A couple weeks ago while looking through vulnerabilities in shodan.io then started filtering by region I was shocked to see the results below. Out of 5,614 vulnerable PHP (v5.1.2) installations in the Shodan database globally, 2,006 are in Japan.

While at first glance this may not be alarming if you don’t know how hackers use shodan.io and Red Teams can use it to isolate attack vectors on targets. Taking this information to the next level on exploit and CVE databases reveals that there are 11 CVEs (common vulnerabilities and exposures) with ranked CVE criticality scores of 7.5 or above. This is a very low bar for an attacker if you look into the details of the exposures listed below.

CVE IDScorePublish DateRemoteAuthentication Required
CVE-2012-2688107/20/2012YesNo
CVE-2012-2376105/21/2012YesNo
CVE-2019-96417.53/8/2019YesNo
CVE-2019-90237.56/18/2019YesNo
CVE-2019-90217.56/18/2019YesNo
CVE-2019-90207.56/18/2019YesNo
Sample list of vulnerabilities and exposures for PHP 5.1.2

The table above lists a couple that were found, which would be trivial to exploit, rated at 10, does not require any kind of authentication and can be exploited remotely. Three more rated at 7.5, would still be trivial but there is potential remediation, which could make the attack skills curve nominally steeper. CVE-2012-1873 (not listed here) exploit at this link could be used on this same version of PHP.

This takes us to the final subject of this article. Just as I went to shodan.io and perused for a certain vulnerability, then went to exploit databases and vulnerability reports to find an attack script, ransomware attackers do the exact same thing when looking for the next target. A ransomware hacker is in it solely for the money, so it is more random. Let’s look at the following ransomware statistics:

  • Ransomware has become a popular form of attack in recent years growing 350% in 2018.
  • Ransomware detections are on the rise with Ryuk detections increasing by 543% over Q4 2018, and since Ryuk monitoring started in May 2019
  • In 2019 ransomware from phishing emails increased 109% over 2017.
  • 21% of ransomware involved social engineering vectors, such as phishing.
  • New ransomware variants grew 46% in 2019.
  • 68,000 new ransomware Trojans for mobile were detected in 2019.
  • Ransomware attacks increased 41% in 2019 with 205,000 businesses who lost access to their files.
  • It’s estimated that a business will fall victim to a ransomware attack every 14 seconds.
  • From 2013 to 2016, the primary ransomware variants reported were CryptoLocker and CryptoWall.
  • In 2017 and 2018, that transitioned to WannaCry and SamSam.
  • In late 2018 and early 2019, the primary ransomware families have been GandCrab and Ryuk.

Ransomware is a real threat and has increased even more as a result of distributed workforces due to the COVID-19 pandemic. SysRisk offers red teaming, including phishing tests, vulnerability assessments, training, and consulting to effectively prevent ransomware from taking hold of your systems.

Leave a Reply