Back in August, Oliver Sild announced in Post Status Slack that Patchstack was opening up “additional data” to “enrich the vulnerability data” their service discloses, now “with [a] real-time IP feed of attackers who hit [Patchstack’s] virtual patches.”
Virtual patches are Patchstack’s quick interventions for customers’ sites when an official patch doesn’t exist yet for a newly disclosed vulnerability. In Oliver’s words, they are “security rules that protect from specific plugin/theme/core vulnerabilities.” So, if someone is actually hitting these virtual patches, it’s very likely they are trying to probe or exploit a vulnerability.
Since the large number of sites being protected by Patchstack’s virtual patches makes a very big (but impenetrable) attack surface for new vulnerabilities and zero-day attacks, it makes a perfect attack monitoring network — or possibly even a honeypot for attackers. The data Patchstack can get from hits to their patches “gives more context to all vulnerabilities.” In other words, they can see if a particular vulnerability is being targeted heavily — or not at all. Then they can prioritize the attention of their security network partners and “fight fearmongering (i.e low severity plugins that get to media, but we all know are not exploited).”
Oliver breaks down the details:
We create those virtual patches on a daily basis for all new security vulnerabilities that we add to the Patchstack Database and protect a very large number of sites globally. That gives us an accurate coverage of both small and big attack campaigns targeting WordPress sites and plugins, but more importantly — we are often able to identify the attackers and their new methods first. The cool thing is that since our virtual patches cause no false positives, the same quality applies to our IP threat feed.
This is cool indeed! WordPress security could go on the offensive with information like this and shut down attackers with the help of hosting partners.
Patchstack is going to publicly release the actual attack levels for each vulnerability in their database, “but for anyone who needs such data in bulk (to apply on their entire hosting infrastructure or to network firewalls), here’s some more information already: https://patchstack.com/for-hosts/