Detecting zero day vulnerabilities with social media

Last week we picked up a significant increase in chatter about Joomla and SQL Injection attacks as can be seen in Figure 1 below.

Figure 1 – Overall weekly cyber chatter

Drilling down into this information as seen in Figure 2 below identifies that most the chatter is in relation to the Joomla Store for K2 3.8.2 Component – SQL Injection Vulnerability. For details of this exploit please refer to www[.]

Figure 2 – Filtered chatter results

The chatter which we identified was collected from a mix of sources, some being media outlets and security blogs, while others were cyber threat actors posting about the vulnerability.

What is interesting is several threat actors were identified as leveraging the chatter around this vulnerability as a means of selling their own services. One of these can be seen in Figure 3 below.

Figure 3 – Threat actor post in Providence

This threat actor has been known to WorldStack for several years so it was interesting to find him promoting his website where people can purchase exploits. While he uses the term Zero Day it is unlikely any of his exploits are actual zero day vulnerabilities. It is more likely he uses this term to grab people’s attention.

Figure 4 – Threat actor post and profile screenshots