In the first quarter of 2021, several high-severity vulnerabilities were used as a conduit to solicit several malicious campaigns. This included malware and ransomware operators, nation-state actors targeting software suppliers for supply chain attacks, and continued targeting of virtual private network (VPN) devices. The first quarter of 2021, as observed in our vulnerability roundup, has continued with the tempo set at the end of 2020. 

The fallout for many of the incidents observed is yet to be determined, with ongoing investigations likely to uncover further details surrounding the source and motivations of the responsible attackers. As teams work to monitor and protect their attack surface, we looked at the top five events and trends emerging in the vulnerability landscape today.

A Rise in Remote Code Execution (RCE)

Remote code execution (RCE) vulnerabilities represent the most commonly exploited type of vulnerability, a trend which also was observed in Q4 2020. This is likely due to the range of malicious activities an actor can conduct when exploiting this type of bug.

Q1 2021 Vulnerabilities by Type
Q1 2021 Vulnerabilities by Type

VPN Still a Common Entry Point for Threat Actors

A joint advisory from the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) released on 15 April 21 highlighted five vulnerabilities that Russia-affiliated actors were actively exploiting. The release of the advisory comes at a time of increased tensions between the U.S and Russia due to attribution of the Solarwinds supply chain attacks to Russian actors and a recent buildup of Russian forces on the border with Ukraine. 

Within the five vulnerabilities specified in the advisory were two bugs affecting popular VPN software (CVE-2018-13379, CVE-2019-11510) in addition to vulnerabilities affecting collaboration, virtualization, and remote working software. Both issues are two years old and have been patched, yet threat actors are still successfully identifying and exploiting VPN devices to provide an entry point on networks of choice.

Attribution for this activity has not been provided at this time. Previous attacks targeting VPN devices as a point of initial entry have been attributed to several capable nation-state actors, including the People’s Republic of China (PRC) and Iran. Easily identifiable and exploitable infrastructure will always garner attention from threat actors looking for a conduit on their network of choice. Any public-facing infrastructure must be patched with the highest priority. Targeted attacks against susceptible VPN devices will almost certainly continue for the remainder of 2021, particularly with large numbers continually working from their home office.

Internet of Things (IoT) Devices Remain Susceptible

While on the topic of older vulnerabilities, let’s not forget about the CVE-2014-8361. This vulnerability in RealTec routers allowed arbitrary code execution and was exploited by the ZHTrap malware during the reporting period. ZHTrap is a fairly rudimental botnet with an interesting capability— turning infected devices into honeypots to collect IP addresses of other susceptible devices. The malware can then subsequently target these devices.

While appearing to be another fairly run-of-the-mill internet of things (IoT) issue (and let’s be honest, there isn’t a lack of those), what was interesting was the vulnerability’s first date of identification. The issue has existed for over seven years and has been abused by several other malware variants, including the Gafgyt, Hajai, and Echobot, all variants of the infamous Mirai botnet from 2016. Despite the age and its use in live attacks several times before, IoT devices are still being targeted and still available for exploitation. 

The rates of IoT device exploitation highlights an ignorance towards the risk associated with such devices, or alternatively, that users of such devices do not care that their DVR, webcam, or home router is used within a botnet. I think it’s most likely a combination of the two. 

The IoT market is slated to become even more successful in the coming years, with growing opportunities for internet-connected devices in both home use and business. With the producers of such devices unlikely to make demonstrable changes to enhance the security of such products, perhaps greater education for individuals users would be the best option to reduce the risk posed by IoT.

Proxylogon Impacts Thousands Globally 

When looking back at the last quarter from a vulnerability perspective, it’s self-evident to start with the discovery and subsequent exploitation of four zero-day vulnerabilities affecting Microsoft. To successfully conduct the attack, threat actors would need to access an on-premise Exchange Server on port 443 before chaining the vulnerabilities. These are tracked under the following designations; CVE-2021-26155, a server-side forgery vulnerability, CVE-2021-26857 a deserialization vulnerability, CVE-2021-26858, and CVE-2021-27065 which are both post-authentication arbitrary file write vulnerabilities. The term “Proxylogon” technically refers to CVE-2021-26155; the process of chaining these four bugs is commonly being referred to as Proxylogon by many in the security community. 

The disclosure of these issues was initially provided by Microsoft on 02 March 21, after a Chinese origin advanced persistent threat (APT) group named HAFNIUM was found to be exploiting the vulnerabilities to access on-premise Exchange servers to steal emails and deploy malware. The attacks have had an enormous impact with tens of thousands of servers likely targeted by intrusions using the vulnerabilities. Security researchers in early March suggested at least 10 APTs had been involved in this activity. 
Ransomware operators, including the DearCry and BlackKingdom variants, have also seized the opportunity presented by ProxyLogon to access targeted networks and solicit their malicious campaigns.

Many a threat actor joined in on the Microsoft Exchange exploit

The response from Microsoft has been relatively swift, which released an out-of-band update to address the four vulnerabilities—although these were issued after threat actors had exploited against several targets. Microsoft also released a one-click mitigation tool intended to assist in remediating the vulnerabilities amongst IT teams short on staffing. This does not replace the patch, however, it does mitigate some of the risk from Proxylogon while the patch is processed. The response to Microsoft’s remediation options has been positive, and from late March, around 92% of susceptible Exchange servers were believed to have been updated.

Microsoft reporting indicating approximately 30,000 servers remain unpatched on March 22
Microsoft reporting indicating approximately 30,000 servers remain unpatched on March 22

Earlier this week, the US Justice Department executed a court-authorized operation to copy and remove malicious web shells placed by Proxylogon from hundreds of vulnerable computers in the US. The order essentially gives the FBI the authority to interfere with a private company’s infrastructure and take proactive action to remove malware. While it was reported that private companies would be contacted via an official FBI email beforehand, it appears many companies were not informed of the FBI actions before the web shells were removed. 

There are several immediate implications from this court order. First, the civil and privacy concerns of the companies—what if the FBI’s actions result in disruption or cause an outage of sorts? Who would be liable for those charges and costs? And despite remediation efforts, if a system remains unpatched, the web shells could ultimately return and render the FBI’s action ultimately pointless. Actors looking to conduct social engineering could also look to masquerade as the FBI via an “official” email.

Ultimately, this sets tricky precedence for the FBI and government playing in notifying and advising companies on how to tackle cyber threats. Could similar court orders and actions become commonplace amongst other impactful incidents? Only time will tell.

“Smeltdown” Returns to the Spotlight

Q1 also saw working proof of concept (POC) codes identified for the Spectre/Meltdown vulnerabilities found almost by chance on VirusTotal. These were widespread hardware problems discovered initially in 2018, believed to affect pretty much every major CPU provider and potentially leading to data loss if exploited. The bugs, affectionately known as ‘Smeltdown’ by many in the security community, resulted in a massive amount of media coverage, which in turn contributed to a rushed and botched remediation from several CPU providers. 

Paradoxically, many of the updates released to address the bugs resulted in bigger, more impactful vulnerabilities or significant performance impact. The vulnerabilities were highly unlikely to be exploited due to the technical demands placed on any actor looking to use the bugs in live attacks. There have been no examples of in-the-wild attacks being conducted against companies in three years since the vulnerabilities have been disclosed.

Taking a Risk Based Approach to Vulnerability Remediation 

There will never be a ‘perfect’ method of vulnerability remediation, and if it feels like you’re constantly playing catchup, this feeling is commonplace across many companies. Whatever the resources or headcount available at your disposal, the best way to address vulnerabilities is by taking a risk-based approach; this is a process that reduces vulnerabilities across your attack surface by prioritizing remediation based on the risks they pose to your organization. 

Threat actors will always take the path of least resistance, leveraging vulnerabilities that are easiest to exploit to achieve the most significant gain. While addressing the older and less impactful bugs is important, focus should first be placed on the easily identifiable vulnerabilities that are easy to exploit and achieve the best impact. VPNs , as mentioned earlier, and the Microsoft Exchange vulnerabilities would be an excellent place to start.

You can investigate vulnerabilities , such as ProxyLogon pictured below, and confidently assess the risk they pose to your organization in SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with a demo request here. Instantly see a risk-score for the vulnerability based on several risk factors in addition to CVSS score, threat actor and event associations, and added context and analysis from our global team of analysts at Photon Research.

A ProxyLogon investigation in ShadowSearch
A ProxyLogon investigation in ShadowSearch