Beware of Fake/Malicious CVE PoCs

In recent years, it is very common to share PoC exploits for known vulnerabilities. It is very common to easily find several PoCs for vulnerabilitirs in GitHub. A researcher team from Leiden Institute of Advanced Computer Science announced that they discovered thousands of repositories on GitHub that offer fake PoC exploits for multiple vulnerabilities.

The discovery is including vulnerabilities discovered between 2017 and 2021. For these vulnerabilities, the team analyzed 47313 repositories and discovered that 4893 of them were malicious repositories. These repositories were used by threat actors to spread malware. The researchers analyzed a total of 358277 IP addresses, 150734 of them were unique IPs and 2864 were blacklisted.

A given example for fake PoC is for the CVE-2019-0708 vulnerability. “This repository was created by a user under the name Elkhazrajy. The source code contains a base64 line that once decoded will be running. It contains another Python script with a link to Pastebin28 that will be saved as a VBScript, then run by the first exec command. After investigating the VBScript we discovered that it contains the Houdini malware” written in the document the team provided.

It seems like this fake PoCs will go on for both newly discovered and legacy vulnerabilities. Even if PoCs are not malicious, these PoCs are making exploitations accessible for public and also for less experienced attackers also. So, as soon as a vulnerability is discovered, it is very likely to be exploited until it is patched. Because of this situation, security teams need to prioritize and patch critical vulnerabilities faster. This also shows the importance of using a professional intelligence service for prioritizing vulnerabilities according to organization’s threat profile that detected by the intelligence service again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s