Cyble-Vulnerability

Exposed Assets – A major threat to organizations

Organizations racing against time as active exploitation of vulnerabilities continues

Introduction

The COVID-19 outbreak has accelerated digital transformation and the exponential increase of remote work, resulting in organizations having an expanded digital footprint and attack surface, with new assets regularly being connected to the company network(s).

The existing processes, technologies, and tools organizations place for asset discovery and vulnerability management cannot defend against the barrage of new vulnerabilities arising almost daily.

Organizations might be overwhelmed trying to keep track of all existing assets within the organization as they add new internet-connected devices, domains, plugins, or other potentially external-facing applications, further complicating the threat landscape for organizations. 

Threat Actors (TAs), Advanced Persistence Threat (APT) groups, and other cyber criminals continuously scan the internet to find vulnerabilities that will be further exploited to achieve the desired objective. It should be noted that there are thousands of vulnerabilities arising every year. Still, not all vulnerabilities can be exploited, and not all vulnerabilities pose the same level of risk to an organization’s assets.

Analysis

To understand the vulnerability exploitation trend, Cyble Research & Intelligence Labs (CRIL) picked up a few vulnerabilities being actively exploited by TAs.

Active exploitation of Atlassian Confluence

On June 2, 2022, Atlassian released an advisory for CVE-2022-26134 (RCE), and within a matter of two days, the Proof-Of-Concept (POC) was being distributed via social media platforms. As the vulnerability targeted the internet-exposed Confluence servers, researchers noticed that vulnerability exploitation started within two days.

On July 20, 2022, the vendor released a security advisory for the Atlassian Confluence app consisting of vulnerability details for CVE-2022-26138, CVE-2022-26136, and CVE-2022-26137. Out of all the three vulnerabilities, CVE-2022-26138 is frequently exploited even at the time of writing this analysis.

We noticed that TAs are selling Confluence Server access by exploiting CVE-2022-26134 on various cybercrime forums. One such example is shown below.

Figure 1 – TA selling Confluence access on a cybercrime forum

Active exploitation of Zimbra Vulnerability

Zimbra released a patch on August 10, 2022, for Zimbra Vulnerability CVE-2022-37042. As expected, the active exploitation of this vulnerability started within a few days. Cyble Research and Intelligence Labs published a detailed blog on the vulnerability after its exploitation.


Cyble recently investigated a claim made by a TA selling nearly 2,700 email servers on a cybercrime forum by exploiting CVE-2022-37042, as shown below.

Figure 2 – TA selling Zimbra servers on a cybercrime forum

Active exploitation of Zyxel firewall and VPN

On September 7, 2022, the Twitter account “@1ZRR4H” tweeted about the mass exploitation of CVE-2022-30525. An Operating System command injection vulnerability in the CGI program of the affected product of Zyxel makes this a critical vulnerability.

Cyble researchers investigated the exposure of Zyxel-affected products that might be vulnerable to CVE-2022-30525 and found over 14,000 instances of exposure, as shown below.                                      

Figure 3 – Exposed Zyxel products exposure (Source: online scanner)

The top 5 countries with the highest number of exposures are:

Figure 4 – Top 5 countries with exposure

VMware Workspace ONE

On April 06, 2022, VMWare released a security advisory for vulnerabilities affecting VMware Workspace One, including CVE-2022-22954.

An advisory released by Cybersecurity and Infrastructure Security Agency (CISA) stated:

According to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively.”

Cyble researchers investigated claims made by the TA in a cybercrime forum. This led us to conclude that TAs leverage this VMware vulnerability to deploy web shells on various global organizations.

Our research into the matter indicated that all of the compromised access points hosted virtual applications via the enterprise application management platform – VMware Workspace ONE.

A screenshot from one of the compromised accesses demonstrated that the JSP-based web shell was downloaded by the TAs in the directory shown below.

Figure 5 – Web Shell access uploaded in the VMWare directory

WS02 Active Exploitation

In early April 2022, a vendor released a security advisory for CVE-2022-29464. This vulnerability’s severity is tagged “Critical,” as TAs could upload an arbitrary file to a user-controlled server location due to insufficient validation of user input. It is also possible to gain remote code execution capabilities on the server by exploiting this arbitrary file upload vulnerability.

Researchers came up with the Proof of Concepts (POC) within a few days, which were distributed across social media platforms within no time. Later in the same month, CISA added the vulnerability in the Known Exploited Vulnerabilities Catalog, indicating active exploitation.

Figure – 6 Screenshot from CISA known Known exploited Vulnerability catalog

Cyble researchers observed a few instances of TAs selling web shells on several public and private organizations. One of these instances is shown below.

Figure 7 – TA selling webshells by exploiting WSO2 vulnerability

What is common in these Active Exploitation vulnerabilities?

  • Type of Exploit – Remote Code Execution.
  • Vulnerable instances exposed over the internet that can be searched via various online scanners.
  • Usage of automation scripts and tools used by TAs.
  • Active exploitation of vulnerabilities is seen within a few days of the release of advisory by the vendor or the PoC distributed over social media.
  • TAs actively use automation scripts and vulnerability scanning tools to exploit vulnerable instances from state and private organizations.
  • TAs were observed selling web shells and other accesses on cybercrime forums as soon as vulnerability details were out.
  • Organizations dealing in Critical Infrastructure sectors are disproportionately targeted via actively exploiting new vulnerabilities.
  • TAs have a wide scope for attacks as organizations fail to patch critical vulnerabilities in time, leading to their active exploitation.

Conclusion

With the active exploitation of various vulnerabilities occurring almost every month, organizations have difficulty managing patches and updates. TAs are leveraging online scanners, automation scripts, and vulnerability scanning tools to exploit vulnerabilities in no time. Most TAs are further selling web shells and accesses on cybercrime forums to botnet operators or people looking to target a particular organization.

Keeping these factors in mind, we highly recommend that organizations leveraging traditional Vulnerability Management processes should shift toward Risk-Based Vulnerability Management. With the immense number of attacks being carried out against organizations regularly, it has become crucial to monitor the dark web for accesses and any shells being sold.

Recommendations

  • Keep systems updated with the latest patches released by the official vendor.
  • Prioritize patching with a Risk-based vulnerability management process.
  • Limit exposure of critical assets over the internet with proper network segmentation.
  • Place critical assets behind an updated and well-configured firewall.
  • Regular audits and VAPT exercises can help the organization find security loopholes that attackers might exploit.
  • Follow the Zero Trust approach.
Scroll to Top