Why “Out of Control” Exploit Chains Are Dangerous

An ‘exploit chain’ is a cyberattack that infringes a target by tying multiple vulnerabilities, also called ‘vulnerability chain’. A cyber attacker can have a greater impact on the target when conducting an exploit chain attack than when focusing on a single point of attack, and can increase the probability of successful attack.
ⓒ Getty Images Bank

According to Forrester analyst Steve Turner, the purpose of an exploit chain attack is to gain kernel/root/system level access to execute the attack. The exploit chain helps attackers to break into the internal environment of a company by exploiting vulnerabilities in normal system processes so that they can escalate privileges by bypassing multiple defenses. Exploit chain attacks typically require more time and effort than other cyberattacks, and require a higher level of expertise. However, by bundling multiple exploits, it is possible to conduct an attack that is difficult to recover from, depending on the age and complexity of the vulnerability.

Risks of the exploit chain

Exploit chain attacks progress relatively quickly, and few companies have the tactics, procedures, or tools to deter or contain the threat to respond appropriately. Therefore, the exploit chain poses a huge risk to the enterprise.

“IT security teams are under great pressure from exploit chain attacks and the fact that almost all cyberattacks exploit known but not mitigated vulnerabilities,” said Ortal Kidsman, research team lead at cybersecurity firm Vulcan Cyber. Vulnerability management today is a ‘mole game’ for IT security teams. “More than 56% of organizations do not have the ability to address vulnerabilities at the speed and level that will protect their business.”

According to Kidsman, most cybersecurity leaders refer to the list of vulnerabilities disclosed by NIST and exploit vulnerabilities identified by CISA. It is an inconvenient fact, but it means that we do not accurately understand the risk posture of a company. “If you can’t assess risk, you can’t mitigate it,” says Kidsman. “Even setting priorities for risk is meaningless if it does not match the risk tolerance level of each company or business unit.”

Exploit Chain Cases and Scenarios

Let’s learn how to attack through real-world examples and scenarios of exploit chain attacks that have occurred or are very likely to occur.

1. SolarWinds attack
According to Kidsman, the SolarWinds hack is a typical example of an exploit chain attack. It was an attack that could not be defended by patching a single vulnerability or creating a secure supply chain backdoor. “Hackers exploited vulnerabilities in proprietary and open source code,” said Kidsman. First, we attacked a key layer vulnerability in the software supply chain and developed an Advanced Persistent Threat (APT) that elevates remote access privileges and privileges inside private networks.”

After the SolarWinds software supply chain backdoor was disclosed, attackers used a ‘proof of concept’ exploit to compromise a core system using known vulnerabilities that have not yet been mitigated for a number of reasons.

2. Exploit chains targeting mobile devices
John Bambnec, chief threat analyst at security firm Netenrich, believes that exploit chain attacks are most likely to target mobile devices. Bambneck explained, “Due to the nature of the smartphone architecture, mobile malware needs to gain root access by exploiting several vulnerabilities to function properly.”

An example of this can be found in a report released by security company Lookout. This is a case of using Android monitoring tools for several years in China targeting Uyghurs. “Exploit chains target traditional computing devices, where there are gaps in human behavior and the way the device is used,” explains Backbnec. For example, many ransomware attackers move laterally or use PowerShell after breaking into the perimeter of the target device, which requires elevation of privilege using other exploits.

3. Exploit chains targeting browsers
According to Tyler Reguli, a vulnerability research team at the security firm Tripwire, cyber attackers convince users to visit webpages with phishing emails and exploit browser vulnerabilities with ‘drive by download’. After that, tie the second vulnerability to escape the sandbox and gain elevated privileges.

An attacker who gains elevated privileges infiltrates various parts of the network and attempts to exploit vulnerabilities to enter a specific system. Reguli said, “When I think of the exploit chain, I think of the scene in the sitcom Friends where Ross repeatedly shouts ‘Pivot!’. Attackers use the exploit chain to create a pivot and then roam around the system and network. Attackers want multiple exploits in the victim’s browser to work better together. Depending on the company’s defenses, it may not work together systematically, and it may succeed.”

Exploit Toolkit Used by Ransomware Attackers

Exploit chains are increasingly being used in commercial exploit toolkits used by ransomware attack groups or hackers. “Two examples are typical,” Turner said. There is a ‘zero-click exploit chain’ that can be executed without an attacker taking any action, and ‘ProxyLogon’ is a ‘ProxyLogon’ that can gain administrator access by attacking multiple vulnerabilities for the purpose of performing an attacker’s desired action. ” explained.

The two methods are tools frequently used by ransomware attack groups to leak data and quickly gain a foothold for ransomware attacks. “We expect many attackers to exploit well-known RCE vulnerabilities, such as the Log4j vulnerability, in the future,” Turner said. Specifically, we will create an exploit toolkit that combines various vulnerabilities to quickly gain the desired system/kernel level access.”

How to prevent exploit chain attacks

One thing to keep in mind to mitigate the risk of an exploit chain attack is that it is possible to break all links in the chain. “Even if some damage has already occurred, breaking the link can prevent further damage,” Reguli explains. In other words, with a robust and mature cybersecurity program, if you have the techniques, technology, and human resources that can break all links in the chain, you can defend and mitigate all attacks as much as possible.

“If an enterprise cannot use this method, then the next best thing to do is to think about where to stop the attack in terms of the cyber kill chain,” Reguli added. Bambneck agrees with this, and advised, “The exploit chain attack may seem terrifying conceptually, but if there is something that can be detected, whether it is the exploit chain or the attacker’s behavior, then the problem can be identified and dealt with.”

Above all, in order to respond to the exploit chain, cooperation between the open source community and proprietary software companies is required. “Open source has been and will continue to be a huge help in software development,” said Kidsman. Now is the time for the commercial and open source software development community to work together.”

Additionally, CISOs should practice holistic, risk-based cyber hygiene, rather than blindly addressing vulnerabilities as they arise. “Businesses need to develop a strategy to respond to exploit chain attacks before it is too late, and prioritize them according to the needs of their specific business,” Kiesman stresses. [email protected]

Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!