Vulnerabilities
In 2024, Red Canary tracked vulnerabilities in software such as Fortinet FortiClient EMS, ScreenConnect, and various VPN products.
Software vulnerabilities continually rank among the top vectors leveraged by adversaries for initial access in particular, but Red Canary has observed the use of exploits throughout the attack lifecycle.
An appreciation for where and how adversaries exploit vulnerabilities is critical not only for detection and response, but to impress upon organizations the need to identify and remediate known exploited vulnerabilities in a timely fashion.
The Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability Catalog grew by approximately 25 percent in 2024. But more importantly, even patched vulnerabilities continue to be leveraged successfully by adversaries for not merely weeks or months, but often for years. This is made all the more problematic when many of the most widely exploited vulnerabilities—particularly those used to gain initial access to organizations by ransomware groups—are in publicly exposed security controls, such as virtual private network (VPN) gateways, firewalls, and other important edge devices.
Even patched vulnerabilities continue to be leveraged successfully by adversaries for not merely weeks or months, but often for years.
Vulnerabilities in 2024
Red Canary called our customers’ attention to several specific vulnerabilities in 2024:
CVE-2023-48788
This is a vulnerability in the Fortinet FortiClient EMS application that allows unauthenticated users to execute SYSTEM-level code and commands via specially crafted messages. Adversaries have exploited this vulnerability to install unauthorized remote management and monitoring (RMM) tools and PowerShell backdoors. The vulnerability allows for SQL injection, enabling adversaries to execute arbitrary commands with SYSTEM-level permissions.
We observed adversaries exploiting this CVE for initial access, using PowerShell’s Invoke-WebRequest cmdlet to download additional tools and establish a beachhead on the exploited device. These tools ranged from .msi installers that would install the RMMs Atera or ScreenConnect, to Metasploit’s powerfun PowerShell backdoor. After creating a successful beachhead, adversaries would create a new account with administrator privileges and use PowerShell Empire.
CVE-2024-1709 & CVE-2024-1708
These critical vulnerabilities in ConnectWise’s ScreenConnect (RMM) software were disclosed on February 19, 2024 and within days we observed active exploitation, with adversaries leveraging ScreenConnect for both initial access and lateral movement. This was particularly impactful, as successful exploitation of ScreenConnect was typically followed by deployment of Cobalt Strike, other legitimate RMM tools, and additional malware for lateral movement after initial exploitation.
In at least one instance, we observed an adversary using bitsadmin.exe to download an unknown payload. In another instance, an adversary executed a malicious JScript file that was uploaded to the host via the ScreenConnect file transfer functionality.
Evidence of exploitation can be discovered by understanding and detecting known post-exploitation techniques, and tracing them back to origin. As an example, researchers have discovered instances of ScreenConnect exploitation by monitoring adversary abuse of certutil.exe, a Windows command-line utility that is used to display certification authority (CA) configuration information, configure Certificate Services, and back up and restore CA components. Adversaries most often use it for Ingress Tool Transfer, downloading additional payloads to further their progress.
VPN vulnerabilities
Red Canary has observed ransomware operators leveraging VPNs for initial access and to facilitate further access within organizations. These vulnerabilities are not specific to one CVE, but encompass a wider issue of VPN software being targeted by threat actors. We highlighted Storm-0844, which has ties to Akira and FOG ransomware, in our September 2024 Intelligence Insights. We have since issued several additional customer bulletins related to abuse of VPN and other edge devices, which we will share in the Take action section below.
Since vulnerabilities vary widely in terms of the software they affect and the actions they might allow upon exploitation, there’s no single piece of guidance for preventing, mitigating, or responding to them. The easy (but unhelpful) advice is to patch early and often, but that’s easier said than done. However, organizations should monitor CISA’s Known Exploited Vulnerabilities Catalog to prioritize patching or otherwise mitigating vulnerabilities that are known to be under active exploitation. High severity, remotely exploitable bugs warrant patching as well.
Preventing and mitigating VPN exploitation
We’ve advised customers to take the following steps to reduce risk associated with VPN exploitation:
- Adopt IPSec/IKEv2 over SSL/TLS VPN protocols
- Patch VPN and other edge devices aggressively
- Implement strong authentication schemes that incorporate client certificates, account lockout periods, and multi-factor authentication
- Employ network segmentation, most notably ensuring that management interfaces for VPN and other such devices are not accessible from public networks
Detecting post-exploitation activity
Post-exploitation activity often stems from the exploited process. As such, looking for processes of external-facing applications conducting unknown or just plain weird activity could aid in detecting intrusion activity caused by an exploit. An example of this would be looking for parent-child process relationships of w3wp and cmd or powershell, as has been observed with various Microsoft Exchange vulnerabilities.
process == w3wp.exe
&&
child_process == ('cmd.exe' || 'powershell.exe')
Another example of this would be detecting instances of sqlservr.exe using cmd.exe to spawn a PowerShell process with subsequent network connection, as was the case with observed exploitation of CVE-2023-48788.
parent_process == sqlservr.exe
&&
process == cmd.exe
&&
child_process == powershell.exe
&&
has_network_connection
Ingress Tool Transfer
Following typical post-exploitation methodologies, we observed adversaries using various, well known methods to pull additional tools into a compromised environment to further their intrusion. As such, this creates many detection opportunities for post-exploitation activity:
Certutil downloading additional payloads
Editor’s note: One of the more enduring adversary techniques, this same detection opportunity has appeared multiple times in Red Canary’s public research and Threat Detection Reports since 2022.
Adversaries often use certutil.exe to download payloads during exploitation because it’s included with all Windows systems by default. It’s also pretty easy to detect downloads using the tool.
process == certutil.exe
&&
command_includes ('urlcache' && 'split' && '-f')Bitsadmin downloading additional payloads
Likewise, adversaries also use bitsadmin to download additional tools on a host to further their intrusion.
process == bitsadmin.exe
&&
command_includes ('download' || 'transfer') PowerShell downloading additional payloads
process == powershell.exe
&&
command_includes ('downloadstring' || 'downloadata' || 'downloadfile' || 'iex' || '.invoke' || 'invoke-expression' || ‘invoke-webrequest’)Note: The remaining detection opportunities were originally included in the 2022 Threat Detection Report but we’re including them here because adversaries may still exploit them when possible.
ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
In March 2021, Microsoft released details of four Exchange Server vulnerabilities collectively known as “ProxyLogon.” If chained together, the vulnerabilities would allow an adversary remote code execution on a targeted Exchange server. Multiple adversaries, including the suspected Chinese state-sponsored group HAFNIUM, used the vulnerability chain to drop web shells and collect data from thousands of Exchange servers. Other adversaries used the DearCry ransomware to target unpatched servers as well. Microsoft released patches for these vulnerabilities at the time of initial reporting.
Microsoft Exchange Mailbox Replication service writing Active Server pages
Adversaries exploited ProxyLogon to drop web shells on vulnerable systems, which manifested through the msexchangemailboxreplication.exeservice writing an ASPX file to disk. Malicious web shells will likely be placed on the web server in a web-accessible directory. The following analytic looks for the Exchange mailbox replication service creating ASPX files.
process == 'msexchangemailboxreplication.exe'
&&
filemod_extension == '.aspx'ProxyShell (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473)
In July of 2021, Microsoft released details of three new vulnerabilities in the Exchange server, which were dubbed “ProxyShell.” ProxyShell exploitation allows an adversary to remotely execute code without authentication. Following the exploitation, adversaries dropped web shells to conduct reconnaissance, move laterally, and in some instances, deploy ransomware. Where ProxyLogon seemed to have a high impact over a short period of time, ProxyShell seemed to persist longer. DetectingProxyShell exploitation is similar to ProxyLogon mentioned above, specifically msexchangemailboxreplication.exe writing an ASPX web shell to disk.
PrintNightmare (CVE-2021-34527)
Also in July of 2021, security researchers and Microsoft released details of a new vulnerability dubbed “PrintNightmare” (CVE-2021-34527). PrintNightmare permits an unprivileged user to remotely obtain elevated privileges on any system running the print spooler service, which is enabled by default. It abuses a vulnerability in how the print spooler service fails to properly authenticate users attempting to load a printer driver dynamic link library (DLL). This zero day affected all editions of Windows, allowing code execution with local SYSTEM-level privileges.
Though the vulnerability was concerning, there were not many reported campaigns exploiting it. That said, ransomware operators such as Vice Society and Magniber have exploited the vulnerability to gain initial access, and therefore it’s worth looking out for. We observed a single malicious instance of PrintNightmare exploitation leading to precursor ransomware behaviors.
Windows print spooler service spawning cmd.exe
PrintNightmare exploitation results in a shell being opened on the targeted system as a child process of the spooler service. This detection analytic identifies the Windows print spooler service spawning a shell on the system.
parent_process == spoolsv.exe
&&
process == cmd.exeKaseya VSA (CVE-2021-30116)
Again in July 2021, adversaries leveraged multiple vulnerabilities in Kaseya Virtual Systems Administrator (VSA) to distribute Sodinokibi ransomware, also known as REvil. VSA allows IT administrators to remotely administer endpoints. By compromising this software, an adversary gains remote execution capability to a large subset of customer endpoints, especially if Kaseya is operated by a managed service provider (MSP).
Red Canary detected the initial behavioral activity using a preexisting analytic for identifying certutil.exe decoding content, as detailed below. Our Intelligence team had tracked Sodinokibi prior to this, which helped us identify the malicious registry modification of blacklivesmatter seen below and attribute it to Sodinokibi.
Certificate utility tool (certutil.exe) decoding content
This detection analytic will detect certutil.exe running with the -decode option. Adversaries frequently leverage certutil to decode Base 64-encoded content.
process == certutil.exe
&&
command_includes ('decode')ManageEngine products (CVE-2021-40539, CVE-2021-44077, CVE-2021-44515)
In November and December of 2021, we observed likely exploitation of remote code execution vulnerabilities in two different Zoho ManageEngine products: ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077). In one case, an incident response partner determined that ADSelfService Plus was used for initial access prior to deploying ransomware. The FBI noted that advanced adversaries exploited a vulnerability in a third ManageEngine product, Desktop Central. ManageEngine products are widely used among IT departments to manage various services across the enterprise. As such, this presents adversaries with a wide attack surface. Organizations using ManageEngine products in their environment should update accordingly. Patches for all the vulnerabilities listed here are available via ManageEngine.
Keytool.exe spawning system shell or PowerShell
For the vulnerability in ADSelfService Plus (CVE-2021-40539), we observed adversaries use the Java utility Keytool to move a web shell from the initial directory it was dropped into. As such, keytool.exe spawning shells should be investigated, and the following detection analytic should surface related activity.
parent_process == keytool.exe
&&
process == ('cmd.exe' || 'powershell.exe')Security gaps? We got you.
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.