Grafana path traversal vulnerabilities have been exploited prior to a broad campaign targeting server-side request forgery (SSRF) bugs in multiple popular platforms, threat intelligence firm GreyNoise reports.
As part of the coordinated exploitation of SSRF flaws, which spiked over the weekend, more than 400 IPs were observed targeting Zimbra, GitLab, DotNetNuke, VMware, ColumbiaSoft, Ivanti, BerriAI, and OpenBMCS products.
According to GreyNoise, many of the IPs used to launch the attacks have been targeting multiple SSRF vulnerabilities at the same time, suggesting the use of automation and a potential focus on pre-compromise intelligence gathering.
Most of the attacks have been targeting entities in the US, Germany, India, Japan, and Singapore, but last week GreyNoise observed a focus on Israel and the Netherlands.
In December, SSRF exploitation spiked against Australia, France, Taiwan, Hong Kong, Qatar, South Korea, and Slovakia, GreyNoise says.
The exploitation of SSRF vulnerabilities, the security firm notes, allows attackers to map internal networks, identify vulnerable services, and steal credentials for cloud services. GreyNoise pointed out that SSRF vulnerabilities played a major role in the 2019 Capital One breach, which impacted over 100 million people.
On Wednesday, the threat intelligence firm warned that it has observed “Grafana path traversal attempts preceding the coordinated SSRF surge”.
This, the company says, suggests that the attackers may be exploiting Grafana, an open source analytics and interactive visualization platform, for reconnaissance, to identify valuable targets within the victim’s environments, for further exploitation.
Previously, the exploitation of Grafana path traversal flaws enabled attackers to access configuration files and internal network information, GreyNoise says. However, no direct relationship between the two events has been found.
“While direct attribution is unclear, the timing suggests a multi-phase attack strategy, where attackers first map exposed infrastructure before escalating their attacks. [T]he pattern aligns with potentially more coordinated activity than initially reported,” GreyNoise notes.
Related: US, Allies Publish Guidance on Securing Network Access
Related: CISA Warns of Ivanti EPM Vulnerability Exploitation
Related: Critical PHP Vulnerability Under Mass Exploitation
Related: Rapid7 Flags New PostgreSQL Zero-Day Connected to BeyondTrust Exploitation