安全专家警告SSRF漏洞遭协同攻击,GreyNoise于3月9日观察到400多个IP同时针对10个SSRF漏洞发起攻击,主要影响美国、德国等国家。攻击者可能利用Grafana作为初始入口进行深入渗透。专家建议组织及时修补漏洞并加强监控。 2025-3-13 14:22:30 Author: securityaffairs.com(查看原文) 阅读量:25 收藏
Experts warn of a coordinated surge in the exploitation attempts of SSRF vulnerabilities
Researchers warn of a “coordinated surge” in the exploitation attempts of SSRF vulnerabilities in multiple platforms.
Threat intelligence firm GreyNoise observed Grafana path traversal exploitation attempts before the Server-Side Request Forgery (SSRF) surge on March 9, suggesting the attackers may be leveraging Grafana as an initial entry point for deeper exploitation.
The experts believe the attempts are the result of a coordinated attack, threat actors first scan exposed infrastructure before escalating their efforts. In past attacks, attackers exploited Grafana vulnerabilities to access configuration files and internal network details, reinforcing the possibility of reconnaissance-driven targeting.
“On March 9, GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms.” reads the advisory published by GreyNoise. “At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts. “
Most Server-Side Request Forgery exploitation attempts targeted entities in the United States, Germany, Singapore, India, Lithuania, Japan, and Israel.
The experts warn that attackers leverage SSRF for pivoting and reconnaissance and cloud exploitation.
GreyNoise observed a significant rise in SSRF exploitation on March 9, with around 400 unique IPs actively targeting 10 SSRF vulnerabilities. Many of these IPs are attempting to exploit multiple vulnerabilities simultaneously rather than targeting a single flaw. This pattern suggests an automation or pre-compromise reconnaissance, rather than typical botnet activity.
Below is the list of SSRF vulnerabilities being exploited in the attacks observed by the experts:
| Tag/CVE (Block Malicious IPs at Link) | Targeted Software |
|---|---|
| CVE-2020-7796 | Zimbra Collaboration Suite |
| CVE-2021-22214 | GitLab CE/EE |
| CVE-2021-39935 | GitLab CE/EE |
| CVE-2021-22175 | GitLab CE/EE |
| CVE-2017-0929 | DotNetNuke |
| CVE-2021-22054 | VMware Workspace ONE UEM |
| CVE-2021-21973 | VMware vCenter |
| CVE-2023-5830 | ColumbiaSoft DocumentLocator |
| CVE-2024-21893 | Ivanti Connect Secure |
| CVE-2024-6587 | BerriAI LiteLLM |
| (No CVE Assigned; See Right Link) | OpenBMCS 2.4 Authenticated SSRF Attempt |
| (No CVE Assigned; See Right Link) | Zimbra Collaboration Suite SSRF Attempt |
Organizations should promptly patch and secure affected systems, apply mitigations for targeted CVEs, and restrict outbound access to necessary endpoints. Additionally, they should monitor for suspicious outbound requests by setting up alerts for any unexpected activity.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Meta)
如有侵权请联系:admin#unsafe.sh