What Powered Them?
Large-scale cyber intrusions increased during 2023, exploiting vulnerabilities in web applications and internet-facing software. Attackers favored this attack vector even more than phishing and other social engineering tactics. But why?
Attackers are using new technologies and tactics that take advantage of shortcomings in patch and vulnerability management processes. These tools allow them to find, initiate and execute intrusions at greater speed.
The Unit 42 Incident Response Report analyzed thousands of incidents to learn what tools and vulnerabilities attackers are focusing on. Read on to unpack the concerning trends of large-scale intrusions and empower your organization to fight back.
Notable Intrusion Campaigns
MOVEit: CVE-2023-34362
In one of the most infamous attacks of 2023, a critical zero-day vulnerability (CVE-2023-34362) was found in a widely used file transfer service for secure data exchange. This system is popular across highly regulated industries and government agencies, such as critical infrastructure providers, healthcare institutions and even government bodies. The impact was far-reaching, affecting over 2,600 organizations, and spread even to organizations whose vendors used the file transfer service.
A large number of systems containing this vulnerability were exposed to the internet. Researchers identified more than 3,000 before the vulnerability was disclosed and patched. The vulnerability was rated a critical 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) because it was easy to exploit and the data involved was often sensitive. Analysts attributed this attack to the CL0P ransom group, which indicates these file sharing services are targets for large cybergangs.
But, file services aren’t the only ones affected by software vulnerabilities.
Citrix Bleed: CVE-2023-4966
Another major attack vector in 2023 exploited a critical vulnerability in widely deployed remote access and virtual desktop appliances. This flaw allowed attackers, such as the ransomware group LockBit, to gain a foothold from which they could execute malicious tactics.
Our Incident Response (IR) and Managed Threat Hunting (MTH) teams observed ransomware groups exploiting Citrix Bleed. The MTH team has also observed remote executions from Netscaler gateways in association with the exploitation of this vulnerability.
Using this vulnerability, attackers bypassed security controls to hijack legitimate user sessions, gain unauthorized access to systems and steal credentials and other sensitive information. And with the widespread use of the remote access system across various industries (aerospace, banking, shipping logistics, etc.), the potential victim pool is vast.
Even with patches available from the manufacturer, this remote access tool is so widely used that many organizations are still suffering the results of the vulnerability.
SugarCRM: CVE-2023-22952
A third zero-day vulnerability exploited in 2023 was exposed in a popular customer relationship management (CRM) system. This vulnerability allowed attackers to bypass authentication altogether and execute malicious code directly on vulnerable servers. Not only that, the exploited code itself was publicly posted online, complete with instructions for finding similar vulnerable servers.
The potential impact of an exploited CRM isn’t limited to the servers. CRM systems often house sensitive data, such as customer information, financial records and internal communications. In the wrong hands, it’s easy to see how attackers could use this data for extortion attempts, sell on the dark web, or simply use it to damage an organization’s reputation.
Palo Alto’s investigations into this exploit reveal a troubling trend. In many cases, attackers used the initial breach to gain access to cloud service accounts with far-reaching permissions. This demonstrates how one weak link in the security chain puts the entire environment at risk, leaving it open to cascading attacks.
Apache Log4j: CVE-2021-44228
One of the most widespread vulnerabilities in recent years was discovered in the Apache Log4j logging library, a common logging framework developed by a well-known open-source organization. This library plays a vital role over a wide range of industries. It records important information, like error messages and user actions, within various software programs and creates an audit trail of the program’s activity.
A critical vulnerability, first discovered in 2021, gave attackers a way to leverage this library for their gain by essentially granting attackers complete control of any system running an unpatched version of the logging library. Hackers need only inject malicious code into seemingly harmless places, like chat boxes and login forms to gain access using this vulnerability, with no special permissions or authentication required.
Logging libraries often interact with various services within a system, making it easy to distribute malware rapidly and potentially compromise entire networks in a short time frame.
So why is a 2021 vulnerability on the 2023 top-five list? Because the library was embedded in so much software, the number of affected systems is so large that the U.S. Department of Homeland Security estimates it will take at least a decade to find and fix every vulnerable instance.
Oracle WebLogic: CVE-2020-14882
A Java-based enterprise application, used by more than 7,000 organizations globally, suffered similar attack campaigns in 2023. This time, the platform vulnerability resided in the administrative console – a fast track to significant impact, with the flaw allowing remote attackers access to the inner workings of the platform itself.
Due to the high level of privilege, attackers could seize complete control of applications running on the platform with ease. With one click, a hacker could gain unrestricted access to financial data, customer records and internal systems. This presented a scenario ripe for disruptions, data breaches and financial losses.
The situation was complicated because there were multiple vulnerable versions of the platform and the sheer number of deployments around the globe was daunting. While the company released patches as early as October 2020, the platform’s widespread adoption meant many organizations were still working with unpatched systems by 2023. Moreover, the vulnerability was relatively easy to exploit, requiring minimal technical expertise on the part of the attacker.
How Did This Happen?
Widespread impact is the goal of these exploitations. Attackers are looking for the fastest, most convenient method to access sensitive systems.
In previous years, social engineering tactics, like phishing, were the most common initial access vector. New technologies are shifting the landscape and changing the way threat actors approach their attacks.
- Automated scanners can scan huge swaths of the internet to identify devices with open ports and other vulnerabilities. By continuously monitoring web apps, databases, IoT devices and industrial control systems, hackers can quickly build a list of potential new vulnerabilities to exploit. Plus, machine learning models can analyze patterns in software code and predict potential weak points, making it easy to implement a targeted approach.
- Automated exploitation is becoming more common. Some groups go so far as to automate data theft itself. Once attackers compromise a system, automation can deploy backdoors, rootkits and other malware that make it harder to evict them. The Emotet malware family uses a technique called “thread hijacking,” where automated malware can use legitimate messages stolen from the infected computer’s email clients and impersonate a reply to the stolen email.
- Advanced evasion, powered by automation, allows attackers to use a variety of methods to obfuscate and disguise their scanning and intrusion attempts. Because it takes less time to access critical systems, attackers can spread their scan attempts out over a longer period to avoid raising alarms.
Social engineering casts a wide net and relies on human error to exploit. In 2023, automation boosted attackers’ abilities to find vulnerabilities that don’t require them to compromise an insider. Online black markets for stolen credentials lessened the need for attackers to directly phish credentials from staff members.
Recommendations for Defenders — Discovery and Analysis
The key to preventing these intrusions lies in implementing a multi-layered defense, creating multiple hurdles for attackers to overcome before they can reach your sensitive data. The 2024 Unit 42 Attack Surface Threat Report found almost a third of newly-discovered high and critical priority exposures stemmed from changes in attack surface… on average, more than 300 new services each month. Managing that much change is challenging.
Multi-Layered Security
Imagine each layer of security – endpoint controls, automation, network segmentation and multi-factor authentication – as a potential tripwire. The more layers you have in place, the more sensors to indicate malicious activity, the greater the chance of disrupting an attack and regaining control sooner than later.
Interrupting attacks in their early stages is one of the ways Unit 42 has been successful in preventing them from escalating into full-blown ransomware situations. For example, data encryption typically occurs later in the attack lifecycle. The sooner and faster you can investigate suspicious activity, the better chance you have of mitigating potential damage.
Patch Management
Patching every vulnerability is a tall order for even the most seasoned and well-resourced security teams. Teams can reduce more risk with less effort by prioritizing the most sensitive vulnerabilities. The Cortex Xpanse platform uses machine learning models to continuously map your attack surface and prioritize remediation efforts. This helps reduce the median time to detect and the median time to respond without additional analysts.
Consistent Coverage
Partial security coverage creates weak spots. Organizations with partial deployments of security controls, particularly endpoint detection and response, left portions of their network exposed. Attackers infiltrate these unguarded areas and establish a foothold, making it more difficult to oust them.
Improve your external and internal coverage with advanced scanning tools and services:
- Discover and catalog all your external-facing assets.
- web applications
- cloud storage solutions
- APIs
- Use internal network discovery tools and asset inventory management practices to identify and categorize every device on your network (i.e., servers, workstations, individual devices).
- Implement endpoint solutions, like Cortex XDR, to continuously monitor and analyze activity across your environment, providing a holistic view of your security posture.
Use Analysis to Stay Ahead of the Curve
Knowing about vulnerabilities is just half the battle. Organizations must prioritize these threats based on the potential risk they pose, or risk overlooking critical threats in a haphazard approach.
Cortex Prisma Cloud provides risk-based vulnerability management, empowering you to focus resources on the most valuable issues. Combined with a robust XDR tool, discovery and analysis can equip security teams with the tools they need to combat increasingly sophisticated attackers.
Ready to Take the Next Step?
If you’re interested in learning how Prisma Cloud and Cortex XDR can set your team up for success, stay ahead of attackers, and proactively manage vulnerabilities, get in touch. Together, we can build a stronger defense against threats from the inside out.