With the rise of daisy-chained cyberattacks, security teams must consider the contextual risk of each vulnerability, including its potential to be leveraged in a full system compromise.
Faced with limited time and resources, every security team must prioritize threats. Vulnerabilities that are rated lower in severity might be tabled to fix later; however, with the explosion of critical vulnerabilities, “later” usually means “never.” More often than not, medium and low-risk vulnerabilities, and even certain high and critical severity ones, end up having long lives in organizations’ environments.1 These unpatched vulnerabilities are all an attacker needs to not only gain access but escalate privileges and move laterally, triggering a much more serious breach of the system.
In this post, we look at the risks of these increasingly common exploit chains, and the importance of alternative frameworks such as MITRE ATT&CK in assessing the situational risk associated with vulnerabilities. This approach can help security teams prioritize, for example, a local vulnerability that might have been overlooked but has the potential to allow an attacker to breach an entire environment when combined with a code execution vulnerability. The severity of any given vulnerability is no longer an independent measure and should be interpreted based on the context of the environment in question.
Daisy-chain maneuvers in the wild
For years, advanced persistent threat (APT) groups and skilled attackers have translated obscure and lower-risk vulnerabilities into devastating attacks, proving that security flaws rated as lower risk by the Common Vulnerability Scoring System (CVSS) can become enterprise-critical exposures. There are a number of examples of these “daisy-chained” attacks. Typically, they involve a sequence of initial compromise and privilege escalation vulnerabilities, but they might also exploit a simpler combination of information leakage flaws.2 Defenders are often in the dark about these potential attack vectors, and having an alternative prioritization view based on threat reports and adversaries' activity has become more than necessary.
This isn’t a new trend. Over the last few months, Tenable has published multiple blog posts analyzing recent FBI and CISA (Cybersecurity & Infrastructure Security Agency) alerts regarding nation-state groups3 and APT actors4 chaining together vulnerabilities against a number of government agencies and U.S.-based networks. In 2019, an FBI Flash Briefing5 listed a dozen vulnerabilities, including low and medium severity flaws (mainly information disclosure vulnerabilities), used by a Chinese APT actor referred to as “APT10,” targeting governments and cloud computing providers both in the U.S. and abroad.
A number of threat intelligence platforms continue to report on APT groups and malware campaigns that daisy-chain vulnerabilities and weaknesses against their targets. In Table 1, we present a few examples of CVEs (including low and medium severity vulnerabilities) that were leveraged in a vulnerability chain to fully compromise targeted systems. Note that traditional CVSS severity scores provide an incomplete view of risk. Any given vulnerability can play a major role along the attack chain, and this information should be factored in so that important vulnerabilities are not overlooked.
Table 1. Examples of vulnerabilities leveraged in full system compromise.
Adversary or Attack | Vulnerabilities: Low and medium severity CVEs are underlined, as defined by CVSS v2.0 or v3.0 |
---|---|
APT33 (Shamoon) | CVE-2017-11774, CVE-2017-0213 |
APT28 | CVE-2015-4902, CVE-2017-0262, CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 |
Zealot campaign | CVE-2017-9822, CVE-2017-5638, CVE-2017-0144 |
APT10 | CVE-2018-8477, CVE-2018-8514, CVE-2018-8580, CVE-2018-8595, CVE-2018-8596, CVE-2018-8598, CVE-2018-8621, CVE-2018-8622, CVE-2018-8627, CVE-2018-8637, CVE-2018-8638, CVE-2018-8174, CVE-2017-1182, CVE-2018-8477, CVE-2018-8616, CVE-2018-8373, CVE-2017-8759, CVE-2017-0199 |
Cryptomining campaign | CVE-2017-10271, CVE-2017-0144 |
APT1 | CVE-2020-11023, CVE-2019-11358, CVE-2020-11022, CVE-2015-9251 |
APT29 | CVE-2019-17026, CVE-2018-13379, CVE-2020-0674, CVE-2019-9670,CVE-2019-19781, CVE-2019-11510 |
The MITRE ATT&CK view
MITRE ATT&CK6 is a knowledge base and framework that has emerged as one of the key resources for security teams in their efforts to defend against threats and threat actors. The Tactics, Techniques, and Procedures (TTPs) documented in the ATT&CK Matrix have been hugely important in both offensive and defensive planning, including visualizing and assessing potential attack vectors and defensive coverage.
From a vulnerability management perspective, the lack of technical and exploitation details for any given vulnerability has long been a major roadblock to effective prioritization. Part of the problem has been the misinterpretation and misuse of CVSS as a metric to drive prioritization, even though it was originally designed to describe the technical nature of vulnerabilities. A threat modeling approach to vulnerability management is necessary to take into account the threat landscape, and the context of vulnerabilities and target environments.
Tenable's Vulnerability Priority Rating (VPR) combines vulnerability and threat intelligence data to predict the likelihood of exploitation and deduce a remediation priority rating for each vulnerability. The MITRE ATT&CK mapping complements this work by detailing the tactics and techniques associated with vulnerabilities for better visibility into possible attack scenarios and mitigation priorities.
We believe MITRE ATT&CK can play a major prioritization role in allowing security teams to map their vulnerabilities onto possible attack vectors or TTPs and understand the methods adversaries could use along the attack chain that leverage those vulnerabilities. It answers the question of how a vulnerability could be leveraged to breach your system. This is key to enabling defenders to turn raw vulnerability data into a more efficient and focused prioritization and mitigation effort, including in the context of the security controls that are in place. At Tenable, we have developed this capability to help customers in their prioritization efforts, work that is detailed further in our Edge Week 2020 presentation, “Mapping CVE to MITRE.”
Case study: Mapping the Shamoon Attack
One recent daisy-chained attack that leveraged lower severity CVEs was called Shamoon.7 It leveraged CVE-2017-0213 in a vulnerability chain to escalate privileges. Despite this risk, the vulnerability has low and medium ratings in CVSS v2.0 and CVSS v3.0, respectively. Shamoon also leveraged CVE-2017-11774, which has a medium and high rating in CVSS v2.0 and CVSS v3.0, respectively.
Table 2 displays the mapping associated with the Shamoon attack. The mapping shows that CVE-2017-11774 can be exploited for code and user execution. It also shows that the vulnerability leverages PowerShell and mentions malware families that have previously used it. The same applies to CVE-2017-0213, which allows for privilege escalation and lateral movement. This means that the combination can be devastating if no action is taken.
From a prioritization standpoint, the MITRE ATT&CK mapping shows that defenders should pay more attention to assets with this combination of vulnerabilities, while taking into account their existing countermeasures and controls. Using this mapping, defenders can better identify realistic attack paths against assets and throughout their environment, and focus mitigation efforts on areas of most significant risk.
Table 2. Examples of MITRE ATT&CK mapping.
Shamoon vulnerabilities MITRE ATT&CK mapping |
---|
{ "mitre": { "attack_vectors": [ { "vector_name": "Malicious code", "vector_type": "AttackVector" }, { "vector_name": "Cyber spying", "vector_type": "AttackVector" }, { "vector_name": "Botnet", "vector_type": "MalwareCategory" }, { "vector_name": "Shamoon Wiper", "vector_type": "Malware" }, { "vector_name": "Silex", "vector_type": "Malware" }, { "vector_name": "Powershell Attack", "vector_type": "AttackVector" } ], "cve": "CVE-2017-11774", "mitre_mappings": [ { "tactic_id": "TA0002", "tactic_name": "Execution", "technique_data_source": [ "Process monitoring", "Process command-line parameters", "Anti-virus" ], "technique_detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).", "technique_id": "T1204", "technique_name": "User Execution", "technique_network": null, "technique_permissions": [ "User" ], "technique_platforms": [ "Linux", "Windows", "macOS" ], "technique_remote": null } ], "vt_activity": { "first_seen": "2019-07-08", "last_seen": "2019-07-08", "vt_file_count": 1 } } } { "mitre": { "attack_vectors": [ { "vector_name": "Privilege Escalation", "vector_type": "AttackVector" }, { "vector_name": "NSIS", "vector_type": "Malware" }, { "vector_name": "fsg exploit", "vector_type": "Malware" }, { "vector_name": "Advanced Persistent Threat", "vector_type": "AttackVector" }, { "vector_name": "Backdoor", "vector_type": "MalwareCategory" }, { "vector_name": "DLL Side-Loading", "vector_type": "AttackVector" }, { "vector_name": "Exploit", "vector_type": "AttackVector" }, { "vector_name": "Kerberoasting", "vector_type": "AttackVector" }, { "vector_name": "krunchy exploit", "vector_type": "Malware" }, { "vector_name": "armadillo exploit", "vector_type": "Malware" }, { "vector_name": "KingMiner", "vector_type": "Malware" } ], "cve": "CVE-2017-0213", "mitre_mappings": [ { "tactic_id": "TA0008", "tactic_name": "Lateral Movement", "technique_data_source": [ "Windows Error Reporting", "Process monitoring", "File monitoring" ], "technique_detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.", "technique_id": "T1210", "technique_name": "Exploitation of Remote Services", "technique_network": null, "technique_permissions": [ "User" ], "technique_platforms": [ "Linux", "Windows", "macOS" ], "technique_remote": null, "technique_system_requirements": [ "Unpatched software or otherwise vulnerable target. Depending on the target and goal, the system and exploitable service may need to be remotely accessible from the internal network." ] } ], "vt_activity": { "first_seen": "2017-07-23", "last_seen": "2020-01-25", "vt_file_count": 16 } } } |
Conclusion
A full system breach rarely happens through a single vulnerability. Daisy-chaining vulnerabilities is not only extremely common but is also an important tactic for threat actors.
MITRE ATT&CK has become the de-facto framework for defenders to position and strengthen their defenses. However, due to the lack of detailed technical and exploitation analyses for most vulnerabilities, this mapping hasn't been widely available to defenders.
At Tenable, we believe this is more than a “nice to have." Further visibility into threats and threat actors, and how these map to local vulnerability exposures, is necessary and results in more effective prioritization and better protection of enterprise environments.
1. Tenable Research, “Persistent Vulnerabilities, Their Causes and the Path Forward,” June 2020
2. F5, "How Three Low-Risk Vulnerabilities Become One High," January 2018
3. Narang, Satnam, "US Cybersecurity Agency CISA Alert: Foreign Threat Actors Continue to Target Unpatched Vulnerabilities," Tenable Blog, September 17, 2020
4. Narang, Satnam, “CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities,” Tenable Blog, October 12th, 2020
5. FBI Flash Alert, “Chinese APT10 Intrusion Activities Target Government, Cloud-Computing Managed Service Providers and Customer Networks Worldwide,” January 2, 2019
6. The MITRE Corporation, “MITRE ATT&CK: Design and Philosophy,” March 2020
7. G. Ackerman, R. Cole, A. Thompson, A. Orleans, N. Carr, "OVERRULED: Containing a Potentially Destructive Adversary," FireEye Blog, July 3, 2019