Where RFI attacks fall in the security threat landscape

New research from Incapsula yielded a few interesting facts about RFI attacks. The data for the report was collected by monitoring billions of web sessions over a 6-month period. The RFI link’s lifespan information is based on a sampled data from a group of 1000 RFI links, which carry 226 different types of backdoor shells and shell variants.

All data was aggregated from a dedicated crowdsourced database, developed for ongoing research of RFI attacks and backdoor shell behavior.

RFI attack definition

Remote File Inclusion (RFI) attacks abuse user-input and file-validation vulnerabilities to upload a malicious payload from a remote location. With such shells an attacker’s goal is circumvent all security measures by gaining high-privileged access to website, web application and web hosting server controls.

Typically, RFI attacks are fairly simple processes. Initially, the attacker will use a scanner or search engine to identify vulnerable targets. Once detected, the targets will be compromised, either by the scanner itself or by an automated script, which will be used for a mass-scale attack – exploiting a group of similarly vulnerable targets. With the scanner (or script) an attacker will exploit a RFI vulnerability to upload a backdoor shell or “Dropper” – small single-function shell, used to upload the actual malicious payload.

With the backdoor in place the attacker can use it for the worst sorts of malicious activities. High-visibility RFI attacks will lead to defacement of the website and deletion of its content. However, the attackers is more likely to prefer the less-suspicious approach, turning a compromised website as a long-term resource used to distribute malware, steal visitor data and unwillingly participate in DDoS attacks.

RFI is an overlooked menace

RFI is no joke. Although often overlooked in favor of the more “popular flavors”- DDoS, Cross Site Scripting (XSS) and SQL injections – RFI attacks are more widespread than most assume. To put it in numbers, our study shows that RFI attacks are today’s most common security threat, accounting for more than 25% of all malicious sessions, far surpassing XSS (12%) and even exceeding SQLIs (23%).

The reason behind these numbers is obvious. With its relative ease of its execution and extremely high damage potential, RFI offers an attacker the best “return on investment” – providing a direct control over the target’s website and even the whole hosting server for almost no-effort.

Kept alive through negligence

Thankfully, for all their damage potential, RFI attacks are mostly zero-day threats – very dangerous in their early stage but also rapidly disarmed, as soon as they are discovered and patched.

However, not all RFIs die young. Our numbers show that even today, a healthy 58% of all scanners are still hunting for the good-old TimThumb exploit. From a security point of view, these are nothing more than naïve attempts to make use of a two-year old vulnerability, probably looking for unpatched WP sites or old WP templates that could be compromised to recruit new foot-soldiers for DDoS botnet armies.

Of course such outdated attacks pose very little threat to vigilant website owners. Still, even today, such relentless efforts eventually yield some successes. This should come as no surprise, as every security professional has at least one campfire story to tell about the disastrous results of security negligence.

Leveraging RFI links longevity

Discovered RFI attack vectors pose few challenges to most security experts, as they can be thwarted by simple signature-based techniques. But what about the next, yet undiscovered, RFI exploit?

This is the question that we are answering with our new reputation based techniques. To protect our clients from zero-day attacks we had to find a constant factor in an unpredictable RFI equation.

Going in, we had a pretty good hunch that the RFI link, which supply the malicious payloads, can provide the reliable constant we needed. Our data proved us to be correct. The research showed that – even when dealing with different attack vectors – the same RFI links were being re-used for multiple assaults on different targets. Moreover, we also found that the lifespan for most of these links averages over 60 days, making them perfect tell-tale signs of an RFI attack and great candidates for long-term intelligence gathering.

Zero-day is every day

With our new reputation-based rules, we are now using this information as a backbone for an effective early warning system, allowing us deal with the most extreme scenarios of absolutely unique zero-day threats. As we see it, zero-day is every-day and we have to be ready for it.