Category: Alerts | Page 2

2022 Top Routinely Exploited Vulnerabilities

August 3, 2023/in Alerts

SUMMARY

The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):

United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)
Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
Canada: Canadian Centre for Cyber Security (CCCS)
New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.

Vendors, designers, and developers: Implement secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in your software.
- Follow the Secure Software Development Framework (SSDF), also known as SP 800-218, and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.
- Prioritize secure-by-default configurations, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.
- Ensure that published CVEs include the proper CWE field identifying the root cause of the vulnerability.
End-user organizations:
- Apply timely patches to systems. Note: First check for signs of compromise if CVEs identified in this CSA have not been patched.
- Implement a centralized patch management system.
- Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
- Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.

Download the PDF version of this report:

TECHNICAL DETAILS

Key Findings

In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.

Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).

Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.

Top Routinely Exploited Vulnerabilities

Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:

CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.
CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.
CVE-2021- 44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.
CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.

Additional Routinely Exploited Vulnerabilities

In addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities—listed in Table 2—that were also routinely exploited by malicious cyber actors in 2022.

MITIGATIONS

Vendors and Developers

The authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:

Identify repeatedly exploited classes of vulnerability. Perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. For example, if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries.
Ensure business leaders are responsible for security. Business leaders should ensure that proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.
Follow the SSDF (SP 800-218) and implement secure design practices into each stage of the SDLC. Pay attention to:
- Prioritizing the use of memory safe languages wherever possible [SSDF PW 6.1].
- Exercising due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [SSDF PW 4.1].
- Setting up secure development team practices; this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language specific security concerns [SSDF PW.5.1, PW.7.1, PW.7.2].
- Establishing a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [SSDF RV.1.3]. As part of this, establish processes to determine root causes of discovered vulnerabilities.
- Using static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [SSDF PW.7.2, PW.8.2].
- Configuring production-ready products to have to most secure settings as default and providing guidance on the risks of changing each setting [SSDF PW.9.1, PW9.2]
Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge.
Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.

For more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.

End-User Organizations

The authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on CPGs, including additional recommended baseline protections.

Vulnerability and Configuration Management

Update software, operating systems, applications, and firmware on IT network assets in a timely manner [CPG 1.E]. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix.
- If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
- Replace end-of-life software (i.e., software no longer supported by the vendor).
Routinely perform automated asset discovery across the entire estate to identify and catalogue all the systems, services, hardware and software.
Implement a robust patch management process and centralized patch management system that establishes prioritization of patch applications [CPG 1.A].
- Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, MSPs and CSPs can expand their customer’s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources.
Document secure baseline configurations for all IT/OT components, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].
Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].
Maintain an updated cybersecurity incident response plan that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].

Identity and Access Management

Enforce phishing-resistant multifactor authentication (MFA) for all users, without exception. [CPG 2.H].
Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].
Regularly review, validate, or remove privileged accounts (annually at a minimum) [CPG 2.D, 2.E].
Configure access control under the principle of least privilege [CPG 2.Q].

Protective Controls and Architecture

Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2X].
- Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
- Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
- Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).

Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. Note: See the Department of Defense’s Zero Trust Reference Architecture for additional information on Zero Trust.
Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T].
- Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].
- Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].
- Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions [CPG 2.Q].
- Use a network protocol analyzer to examine captured data, including packet-level data.

Supply Chain Security

Reduce third-party applications and unique system/application builds—provide exceptions only if required to support business critical functions [CPG 2.Q].
Ensure contracts require vendors and/or third-party service providers to:
- Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].
- Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].
Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

RESOURCES

For information on the top vulnerabilities routinely exploited in 2016 through 2019, 2020, and 2021, see:
See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.
See ACSC’s Essential Eight mitigation strategies for additional mitigations.
See ACSC’s Cyber Supply Chain Risk Management for additional considerations and advice.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

PURPOSE

This document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

REFERENCES

[1] Apache Log4j Vulnerability Guidance

VERSION HISTORY

August 3, 2023: Initial version.

APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES

CVE	Vendor	Affected Products and Versions	Patch Information	Resources
CVE-2017-0199	Microsoft	Multiple Products	Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows
CVE-2017-11882	Microsoft	Office, Multiple Versions	Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882
CVE-2018-13379	Fortinet	FortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6	FortiProxy – system file leak through SSL VPN special crafted HTTP resource requests	Joint CSAs: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
CVE-2019-11510	Ivanti	Pulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12	SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX	CISA Alerts: Continued Exploitation of Pulse Secure VPN Vulnerability Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity ACSC Advisory: 2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software Joint CSA: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations CCCS Alert: APT Actors Target U.S. and Allied Networks – Update 1
CVE-2019-0708	Microsoft	Remote Desktop Services	Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-19781	Citrix	ADC and Gateway version 13.0 all supported builds before 13.0.47.24 NetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12 SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b	CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance	Joint CSAs: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity CCCS Alert: Detecting Compromises relating to Citrix CVE-2019-19781
CVE-2020-5902	F5	BIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5	K52145254: TMUI RCE vulnerability CVE-2020-5902	CISA Alert: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
CVE-2020-1472	Microsoft	Windows Server, Multiple Versions	Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472	ACSC Advisory: 2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) Joint CSA: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations CCCS Alert: Microsoft Netlogon Elevation of Privilege Vulnerability – CVE-2020-1472 – Update 1
CVE-2020-14882	Oracle	WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Oracle Critical Patch Update Advisory – October 2020
CVE-2020-14883	Oracle	WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Oracle Critical Patch Update Advisory – October 2020
CVE-2021-20016	SonicWALL	SSLVPN SMA100, Build Version 10.x	Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x
CVE-2021-26855	Microsoft	Exchange Server, Multiple Versions	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855	CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
CVE-2021-26857	Microsoft	Exchange Server, Multiple Versions	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857
CVE-2021-26858	Microsoft	Exchange Server, Multiple Versions	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858	CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
CVE-2021-27065	Microsoft	Multiple Products	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065	CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
CVE-2021-20021	SonicWALL	Email Security version 10.0.9.x Email Security	SonicWall Email Security pre-authentication administrative account creation vulnerability
CVE-2021-31207	Microsoft	Exchange Server, Multiple Versions	Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207	CISA Alert: Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities ACSC Alert: Microsoft Exchange ProxyShell Targeting in Australia
CVE-2022-26134	Atlassian	Confluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1	Confluence Security Advisory 2022-06-02	CISA Alert: CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog ACSC Alert: Remote code execution vulnerability present in Atlassian Confluence Server and Data Center
CVE-2021-34473	Microsoft	Exchange Server, Multiple Version	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473	Joint CSA: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities
CVE-2021-34523	Microsoft	Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft Exchange Server 2016 Cumulative Updates 19 and 20 Microsoft Exchange Server 2019 Cumulative Updates 8 and 9	Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523	CISA Alert: Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities
CVE-2021-26084	Jira Atlassian	Confluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.	Jira Atlassian: Confluence Server Webwork OGNL injection – CVE-2021-26084	CISA Alert: Atlassian Releases Security Updates for Confluence Server and Data Center
CVE-2021-40539	Zoho ManageEngineCorp.	ManageEngine ADSelfService Plus builds up to 6113	Security advisory – ADSelfService Plus authentication bypass vulnerability	ACSC Alert: Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors
CVE-2021-40438	Apache	HTTP Server 2.4.48
CVE-2021-41773	Apache	Apache HTTP Server 2.4.49	Apache HTTP Server 2.4 vulnerabilities
CVE-2021-42013	Apache	Apache HTTP Server 2.4.50	Apache HTTP Server 2.4 vulnerabilities
CVE-2021-20038	SonicWall	SMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24svSMA 100 series appliances	SonicWall patches multiple SMA100 affected vulnerabilities	ACSC Alert: CCCS Alert: SonicWall Security Advisory
CVE-2021- 44228	Apache	Log4j, all versions from 2.0-beta9 to 2.14.1 For other affected vendors and products, see CISA’s GitHub repository.	Apache Log4j Security Vulnerabilities For additional information, see joint CSA: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities	CISA webpage: Apache Log4j Vulnerability Guidance CCCS Alert: Active exploitation of Apache Log4j vulnerability – Update 7 ACSC Advisory: 2021-007: Log4j vulnerability – advice and mitigations ACSC Publication: Log4j: What Boards and Directors Need to Know
CVE-2021-45046	Apache	Log4j 2.15.0Log4j	Apache Log4j Security Vulnerabilities
CVE-2022-42475	Fortinet	FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier	FortiOS – heap-based buffer overflow in sslvpnd
CVE-2022-24682	Zimbra	Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1) Collaboration Suite	Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release
CVE-2022-22536	SAP	NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher Internet Communication Manager (ICM)	Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher	CISA Alert: Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)
CVE-2022-22963	VMware Tanzumware Tanzu	Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions	CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
CVE-2022-22954	VMware	Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 Identity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3 vRealize Automation (vIDM), 8.x, 7.6 VMware Cloud Foundation (vIDM), 4.x vRealize Suite Lifecycle Manager (vIDM), 8.xWorkspace ONE Access and Identity Manager	VMware Advisory VMSA-2022-0011
CVE-2022-22960	VMware	Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 Identity Manager (vIDM) and vRealize Automation3.3.6, 3.3.5, 3.3.4, 3.3.3 vRealize Automation (vIDM), 8.x, 7.6 VMware Cloud Foundation (vIDM), 4.x VMware Cloud Foundation (vRA), 3.x vRealize Suite Lifecycle Manager (vIDM), 8.x	VMSA-2022-0011
CVE-2022-29464	AtlassianWSO2	WSO2 API Manager 2.2.0 and above through 4.0.0 WSO2 Identity Server 5.2.0 and above through 5.11.0 WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0 WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0 WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0	WSO2 Documentation – Spaces
CVE-2022-27924	Zimbra	Zimbra Collaboration Suite, 8.8.15 and 9.0	Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release
CVE-2022-1388	F5 Networks	F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and All 12.1.x and 11.6.x versions	K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388	Joint CSA: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388
CVE-2022-30190	Microsoft	Exchange Server, Multiple Versions		CISA Alert: Microsoft Releases Workaround Guidance for MSDT “Follina” Vulnerability
CVE-2022-22047	Microsoft	Multiple Products	Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability, CVE-2022-22047
CVE-2022-27593	QNAP	Certain QNAP NAS running Photo Station with internet exposure Ausustor Network Attached Storage	DeadBolt Ransomware
CVE-2022-41082	Microsoft	Exchange Server 2016 Cumulative Update 23, 2019 Cumulative Update 12, 2019 Cumulative Update 11, 2016 Cumulative Update 22, and 2013 Cumulative Update 23	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2022-41082	ACSC Alert: Vulnerability Alert – 2 new Vulnerabilities associated with Microsoft Exchange.
CVE-2022-40684	Fortinet	FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0	FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface

Source…

Threat Actors Exploiting Ivanti EPMM Vulnerabilities

August 1, 2023/in Alerts

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network.

Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.

CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.

Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.

This CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. The CSA also includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt for compromise. CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA. If no compromise is detected, organizations should still immediately apply patches released by Ivanti.

Download the PDF version of this report:

AA23-213A Threat Actors Exploiting Ivanti EPMM Vulnerabilities
(PDF, 489.59 KB
)

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

In July 2023, NCSC-NO became aware of APT actors exploiting a zero-day vulnerability in Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core, to target a Norwegian government network. Ivanti confirmed that the threat actors exploited CVE-2023-35078 and released a patch on July 23, 2023.[1] Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.[2]

CVE-2023-35078 is a critical authentication bypass [CWE-288] vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The vulnerability allows unauthenticated access to specific application programming interface (API) paths. Threat actors with access to these API paths can access PII such as names, phone numbers, and other mobile device details of users on the vulnerable system; make configuration changes to vulnerable systems; push new packages to mobile endpoints; and access Global Positioning System (GPS) data if enabled.

According to Ivanti, CVE-2023-35078 can be chained with a second vulnerability CVE-2023-35081.[2] CVE-2023-35081 is directory traversal vulnerability [CWE-22] in EPMM. This vulnerability allows threat actors with EPMM administrator privileges the capability to write arbitrary files, such as webshells, with operating system privileges of the EPMM web application server. The actors can then execute the uploaded file.[2]

CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog on July 25, 2023, and CVE-2023-35081 on July 31, 2023.

CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices. Threat actors, including APT actors, have previously exploited a MobileIron vulnerability [3],[4].

APT Actor Activity

The APT actors have exploited CVE-2023-35078 since at least April 2023. The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy [T1090] to target infrastructure, and NCSC-NO observed the actors exploiting CVE-2023-35078 to obtain initial access to EPMM devices [T1190] and:

Perform arbitrary Lightweight Directory Access Protocol (LDAP) queries against the Active Directory (AD).
Retrieve LDAP endpoints [T1018].
Use API path /mifs/aad/api/v2/authorized/users to list users and administrators [T1087.002] on the EPMM device.
Make EPMM configuration changes (Note: It is unknown what configuration changes the actors made).
Regularly check EPMM Core audit logs [T1005].

The APT actors deleted some of their entries in Apache httpd logs [T1070] using mi.war, a malicious Tomcat application that deletes log entries based on the string in keywords.txt. The actors deleted log entries with the string Firefox/107.0.

The APT actors used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM. Other agents were used; however, these user agents did not appear in the device logs. It is unconfirmed how the threat actors ran shell commands on the EPMM device; however, NCSC-NO suspects the actors exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands [T1059].

The APT actors tunneled traffic [T1572] from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet [T1090.001]. It is unknown how they tunneled traffic. NCSC-NO observed that the network traffic used the TLS certificate of the internal Exchange server. The APT actors likely installed webshells [T1505.003] on the Exchange server in the following paths [T1036.005]:

/owa/auth/logon.aspx
/owa/auth/logoff.aspx
/owa/auth/OutlookCN.aspx

NCSC-NO also observed mi.war on Ivanti Sentry but do not know how the actors placed it there.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1—Table 7 for all referenced threat actor tactics and techniques in this advisory.

Table 1: APT Actors ATT&CK Techniques for Initial Access

Technique Title	ID	Use
Exploit Public-Facing Application	T1190	The APT actors exploited CVE-2023-35078 in public facing Ivanti EPMM appliances since at least April 2023.

Table 2: APT Actors ATT&CK Techniques for Execution

Technique Title	ID	Use
Command and Scripting Interpreter	T1059	The APT actors may have exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands.

Table 3: APT Actors ATT&CK Techniques for Discovery

Technique Title	ID	Use
Account Discovery: Domain Account	T1087.002	The APT actors exploited CVE-2021-35078 to gather EPMM device users and administrators.
Remote System Discovery	T1018	The APT actors retrieved LDAP endpoints.

Table 4: APT Actors ATT&CK Techniques for Persistence

Technique Title	ID	Use
Masquerading: Match Legitimate Name or Location	T1036.005	The APT actors likely installed webshells at legitimate Exchange server paths.
Server Software Component: Web Shell	T1505.003	The APT actors implanted webshells on the compromised infrastructure.

Table 5: APT Actor ATT&CK Techniques for Defense Evasion

Technique Title	ID	Use
Indicator Removal	T1070	APT actors deleted httpd access logs after the malicious activities took place using string `Firefox/107.0`.

Table 6: APT Actor ATT&CK Techniques for Collection

Technique Title	ID	Use
Data from Local System	T1005	APT actors regularly checked EPMM Core audit logs.

Table 7: APT Actor ATT&CK Techniques for Command and Control

Technique Title	ID	Use
Protocol Tunneling	T1572	The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.
Proxy	T1090	The actors leveraged compromised SOHO routers to proxy to and compromise infrastructure. The actors tunneled traffic from the internet to at least one Exchange server.
Proxy: Internal Proxy	T1090.001	The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.

Technique Title

Use

Protocol Tunneling

T1572

The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.

Proxy

T1090

The actors leveraged compromised SOHO routers to proxy to and compromise infrastructure.

The actors tunneled traffic from the internet to at least one Exchange server.

Proxy: Internal Proxy

T1090.001

The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.

EVIDENCE OF VULNERABILITY METHODS

CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-30578:

id: CVE-2023-35078-Exposure

info:

name: Ivanti EPMM Remote Unauthenticated API Access

author: JC

severity: critical

reference:

– https://nvd.nist.gov/vuln/detail/CVE-2023-35078

description: Identifies vulnerable instances of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass.

tags: ivanti, mobileiron, epmm, auth-bypass

requests:

– method: GET

path:

– “{{RootURL}}/mifs/aad/api/v2/ping”

matchers-condition: and

matchers:

– type: status

status:

– 200

– type: word

part: body

words:

– “vspVersion”

– “apiVersion”

condition: and

CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-35081:

id: CVE-2023-35081

info:

name: Ivanti EPMM Remote Arbitrary File Write

author: JC

severity: High

reference:

– https://nvd.nist.gov/vuln/detail/CVE-2023-35081

description: Identifies vulnerable unpatched versions of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10.0.3, 11.9.1.2, and 11.8.1.2 that allows an authenticated administrator to perform arbitrary file writes to the EPMM server.

tags: ivanti, mobileiron, epmm

requests:

– method: GET

path:

– “{{RootURL}}/mifs/c/windows/api/v2/device/registration”

matchers-condition: and

matchers:

– type: status

status:

– 200

– type: regex

part: all

regex:

– ‘.*\?VSP ((0?[0-9]|10)(\.\d+){1,3}|11\.(0?[0-7])(\.\d+){1,2}|11\.8\.0(\.\d+)?|11\.8\.1\.[0-1]|11\.9\.0(\.\d+)?|11\.9\.1\.[0-1]|11\.10\.0\.[0-2]).*’

Run the following NCSC-NO-created checks to check for signs of compromise:

Investigate logs in centralized logging solutions or forwarded syslogs from EPMM devices for any occurrences of /mifs/aad/api/v2/.
Look for spikes or an increase of EventCode=1644 in the AD since at least April 2023. The LDAP queries performed by EPMM when the threat actor used the MIFS API generated tens of millions of this event code. Also look for EventCodes 4662, 5136, and 1153.
To detect tunneling activity through Sentry, look for traffic from EPMM devices to other internal servers, as well as TLS traffic towards instances of EPMM with different TLS certificates than the instance itself would possess. Traffic to EPMM with certificates originating from endpoints further inside the network, e.g. standard Windows generated certificates such as CN=EXCHANGE01 or similar.
Perform forensic analysis of disk and memory since log retention may be poor and threat actors have been observed deleting log entries. Pay particular attention to unallocated disk space (free space on filesystem).
Check for activity from ASUS routers in your own country towards EPMM and Sentry devices.

INCIDENT RESPONSE

If compromise is detected, organizations should:

Quarantine or take offline potentially affected hosts.
Reimage compromised hosts.
Provision new account credentials.
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
Report the compromise to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870) or to NCSC-NO via NCSC-NO’s 24/7 Operations Center ([email protected] or +47 23 31 07 50).

MITIGATIONS

CISA and NCSC-NO recommend organizations:

Upgrade Ivanti EPMM versions to the latest version as soon as possible. See Ivanti CVE-2023-35081 – Remote Arbitrary File Write for patch information. This patch protects against CVE-2023-35078 and CVE-2023-35081.
- See the Evidence of Vulnerability Methods section of this advisory for CISA-developed nuclei templates to find any EPMM versions vulnerable to CVE-2023-35078 and CVE-2023-35081.
- Organizations using unsupported versions (i.e., versions prior to 11.8.1.0) should immediately upgrade to a supported version. If you cannot immediately upgrade, apply the Ivanti-provided RPM fix for CVE-35078 (this workaround does not protect against CVE-2023-35081):
  - Login to command line shell (CLI) in enable mode.
  - Run the following command: # install rpm url https://support.mobileiron.com/ivanti-updates/ivanti-security-update-1.0.0-1.noarch.rp
  - See Ivanti’s Knowledge Base (KB) Remote unauthenticated API access vulnerability – CVE-2023-35078 for more information on the RPM fix.
Treat MDM systems as high-value assets (HVAs) with additional restrictions and monitoring. MDM systems provide elevated access to thousands of hosts and should be treated as high value assets (HVAs) with additional restrictions and monitoring.
Follow best cybersecurity practices in production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and NCSC-NO also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and NCSC-NO recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Table 1–Table 7).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

[1] Ivanti: CVE-2023-35078 – Remote Unauthenticated API Access Vulnerability

[2] Ivanti: CVE-2023-35081 – Remote Arbitrary File Write

[3] CISA: Potential for China Cyber Response to Heightened U.S.-China Tensions

[4] CISA: Top Routinely Exploited Vulnerabilities

ACKNOWLEDGEMENTS

Ivanti contributed to this joint advisory.

VERSION HISTORY

August 1, 2023: Initial version.

APPENDIX: INDICATORS OF COMPROMISE

NCSC-NO observed the following webshell hash:

c0b42bbd06d6e25dfe8faebd735944714b421388

NCSC-NO observed the following hash of mi.war:

1cd358d28b626b7a23b9fd4944e29077c265db46

NCSC-NO observed the following JA3 Hashes used against MobileIron Core:

2d5bd942ebf308df61e1572861d146f6

473cd7cb9faa642487833865d516e578

579ccef312d18482fc42e2b822ca2430

849d3331f3e07a0797a02f12a6a82aa9

8d9f7747675e24454cd9b7ed35c58707

ad55557b7cbd735c2627f7ebb3b3d493

cd08e31494f9531f560d64c695473da9

e1d8b04eeb8ef3954ec4f49267a783ef

e60dc8370ecf78cf115162fbc257baf5

e669667efb41c36f714c309243f41ca7

e84a32d43db750b206cb6beed08281d0

eb5fdc72f0a76657dc6ea233190c4e1c

NCSC-NO observed the following JA3 Hashes used against Exchange when tunneling via EPMM Sentry:

0092ce298a1d451fbe93dc4237053a96

00e872019b976e69a874ee7433038754

01ecd9ab9be75e832c83c082be3bdf18

0212a88c7ed149febdefa347c610b248

02be3b93640437dbba47cc7ed5ab7895

03f8852448a85e14f2b4362194160c32

045f8ccdac6d4e769b30da406808da71

04e7f5787f89a597001b50a37b9f8078

070f9fe9f0ec69e6b8791d280fde6a48

07a624d7236cca3934cf1f8e44b74b52

09df72c01a1a0ad193e2fff8e454c9c4

0b28842d64a344c287e6165647f3b3fe

0b8e1211de50d244b89e6c1b366d3ccf

0cb0380cf75a863b3e40a0955b1ada9f

0da24834056873a8cd8311000088e8be

0e1fad8ffaa7a939f0a6cbf9cd7e2fcd

0f6e78839398c245d13f696a3216d840

119f8c9050d1499b6f958b857868b8ce

11c506d5e3fb7e119c4287202c96a930

1336df27f94b25a25acac9db3e61e461

14671c3f8deca7d73a03b74cb854c21d

146caf9bd0153428f54e9ef472154983

14994353f3ea6fd25952a8c7d57f9ecf

151bc875df15d1385e6eb02f9edaba06

15a074a397727b26a846b443b99c20ff

1660f3d882a4311ca013ee4586e01fd9

16a74fc216f8a4ce43466bb83b6d3fd2

188623fdd056c4ed13d1ff34c7377637

19f51486abd40c9f0fc0503559a6c523

1a024e63721c610d2e54e67d62cd5460

1aa7dae8f2ae0a29402ed51819f82db4

1abfdeaadb74a0f7c461e7bab157b17f

1b6720ed0b67c910a80722ce973d6217

1b7d9368c6ce7623fdbc43f013626535

1e0850e10a00c9bbdd5c582ff4cb6833

1ec71612e438cf902913eec993475eb9

206fed3a39d9215c35395663f5bb3307

22cc1b3bc9f99d3a520ae58fee79a0d5

23e3e6fa8b23d9bc19e82de4e64c79e9

253fd4659bf21be116858bc0f206c5b9

276e175d4fe8454c4c47e966d8cb3fa3

289a450c7478dd52a10c6ed2fb47f7e9

2aa8ba7478b1362274666d714df575bc

2beecb6b9e386f29d568229a9953c3d2

2ebc7fdceaa9a0df556e989d77157006

3003024afe64b4e8a5a30825c14bbb12

3082e669dda9d023e2dcd8b9549a84a8

309d33c6f77a3fc75654c44c61596ccd

30a9f568eb3df79352fc587a078623b6

30be84e6b95f44c203f8e7fce7339a8e

3268a5097a543c7dbd82c39a9193b7fe

32775ead3ea1ad7db2f4bea67fe0cabb

34ac9a6ef5d285119abec50fbe41fcfe

34d92552e278710c1e84f0bd8dc3a6b8

361f47a6357cc6e3a9bcdd20cfaaf0e9

3685abc75517e61e47e52e5f2d060f54

3744004013135b9f9a05cb58cda8134d

37d952966ea7e79277803f13d7147544

391a4c2c7541b8b78e2f99bf586e9794

393662e5aa0cb49c5d666a6d10a1ade6

3962b622c5aa815afb803b92aa948424

3b22af324abded2781ed8f6a61f3654f

3b30b4555cc8b4b164ad03cf322cbea8

3bd1bdb5e90b9590a8878bff2ada8204

3be529eb3a7daaf34f963a22188f6139

3dd13faad1c45eb0c23e4567210f7eac

403273b51f91cf3c333695e5532cb2c3

404f56045e436d53ead2177bf957ba39

41854adbc73b0b58e5c566f60bb0df25

43c22dabb1e6d2449a39c2f7e974d537

476e72bbda5b78d188766139889e3038

4898a51256ae7d914a5ffd5695973470

49230c486f0fd383cd301fe162d6a786

4959a611b9885022d81b4bc8e4b1d149

495c6ff7ca0379ad0891bac47917d09a

49d2bd08038dc7dada221008591940f9

4c1b73ec52e6eec0c5d20577fcbc9ef1

4d34db639ba84b11822fb3dac47ed7d1

5244b163f9326a1e5eaa8860f7543f99

539f1a5183800a96228458932f9307f7

5466368d4659f1b1470bcb09e65b484d

549cde6535a884126755fc53f59a820c

555389e92c622b87d3fc395fd8723501

588d0b42e54174a98e1eca59945e8b32

58bc21d305a65c41745327f142f3ac12

59401c9a60449c742d073d93d1b7039a

59eec218522cc5c7743a0d37892a3345

59faf75430e9326d3ae9d231bb3ae8c6

5d0259ca16cfc2d7d1b0fac69f29ab05

5d55026fb84dba91ac01e2095504b1bc

5e35f50c692081fd6c7ddac1272e2d6c

5f4d5965af741bba59b7c8d3425f33dd

6010282004917ecf3900babf61456432

6088c2a04c94cdcd5a283a6d1622ffba

61dee38d2f97220efb1218ad8971e3ab

62ac194f2526eb45485526bca35c8f43

634296a023280d020674c873d0199760

635755dadfab8b92fb502aafb09122db

63fc58be0d7b48eaa34da7f752ae8ae6

6441640409815cfb4bf469e685e1bdb5

646973d1928c401ba80961c12cbf84a2

65eef0a0ee257254ef0418aa57192cfb

66f6a192083a7ab00ae8e0b5cc52e8f4

67a42e2e27ffc26d1f3d0ceb8384afd0

689385f1218e0d4c347595648ca6a776

692f91c0c5e9e93e0a24bd3392887ca1

69ecf52960c8bd9e746dfe9ee19c11f6

6e359f3bbc622e9b1ed36f6e3d521bcf

6e3650528f719fc50988a1f697644832

6ead0d5d3f87911c27f3ae0a75e6b5bc

6f1fa8b444caf0d8238f948279ca74e1

6fb8cdf567dd7d89d53b5771d769cb5f

706b6055658aff067ae370f23831ef6b

708140c311d3d69418f75c928e7535a0

719ec5da8f2153a436ee8567ff609894

7292ef4cdca529071fad97496e1c9439

74871691eac48156ce0da2cfa3ab401a

74cf24f2a66a31c88b6fcfe01f12160c

75e874d8e0a79697633b87ea5e798b1c

76c0d09fed2f33babb0de8ee2c07144c

77a01363fa2b29af25c004da9570e23c

78988c65e9b70e7929e747408d8f0b0e

79c6d12d168b85437384b20eb94e106b

7b4137b4e85f31a81bb5bafeda993947

7b9db1d58326c1fa276ba2a39bcc2617

7cbc7459db5327c26476549f225030f5

7cd727171c2522f51417edeeba4f1791

7e3630c67c802eabb67b108ad4d7ded7

802f5d34c230da40c0912a1c5a9b702b

80bd0f3610f6c4d60584a5be0b8a3016

819030799f0020ed724c2ef3ffaa56c6

8207129585da68066ed08e94216d76ee

821f649d08687e22f96cea99fbb5d3a3

830838cb0620d659405a74401cd72557

833d3201066f5184c874c73a2083c448

840f488b7c0a5d686d1e89908735f354

84301b967a4d9a242466c04901bad691

85c3fac6a9885362c448f434671e362f

883b9fe16e45c388968defc73a5fba7a

8a6b0ba3496eeca39d6d3f9bae830c90

8ad0fd4b78c89bd63b97343fda1eeccb

8b0ae9029974091df12210255aaecad6

8b297f8b219e968932293ee7a8242ca3

8bb1781e756a53cd00d9b2ec670fa21e

8d5515351afdf27b013f96a05bf45147

8fafa73e9985e05d0c1c964da770c567

905967b08bd44cfa60d969229921ac23

9188ef45ea917a91ec9b92b5dd8cd90d

918dfab0333ae15d61f14fd24b5eaaac

922a3272aad17c9eaad733696a4321da

9253399537fad8448f1d4732dd79f6fa

934a8a6528e91caa019acb76e791a71d

95588e0386206fa02912cfcaf18c1220

9610328cdaa4694800c2c93410f8ce82

9622902cc43f4a20d0d686a37e4d8232

96c41e4c4a1812187fb279b9299ad63b

984c4653a563b19c87f264611a6adc01

9980febfaf901d4113a1c473f79d7eb6

9a176d818edff838fc057cea3ee372c0

9ba21c5148913186a5bf877078cbc048

9cfda02ef7e04c469b77f8197a249c17

9d74d395bd2f72a47a5c980e6040df5a

9df128ebe0c82064aa746647883112c9

9e5613533972a9d42d2e3344a4e58566

9ec17429eed5446e3720796ab50d8c60

9f2438aaab4744c4b7b5b7287a783099

9f3bf94572344b36f6ef1689cb30c66e

9fdd7a85b3a4ef8ded73beb3e6218109

a1b732a9af792f75a68ed78d72ffb8f6

a260d836428cdb971bdf147ca6940160

a4f11b1eb659869a0ae70898a4a0e5ee

a596ebbcf438980c880d711315e4fdf1

a80b6a354b493264f37aa39d0d41b5fc

a89df6156eb5a2de196388d4a123b470

a96837fe533247abb7f88000d0216a50

a98cf0a359f430a00f4f3d522f5b6cc0

aa2fe3a253e169b05e1782ca57a688d2

aef0172a2c03f77912de0bbf14aee00f

af06c3e72f2f307515ba549174d8e5a6

b311ab82b30f41b12cb9089d00c4a1ff

b4f31423445b5f13675f205ac997f41f

b50666c9aed1c2f222c56b6e9b326d27

b53f179b3f25f72bb0c7ccf45bf8beee

b57f3e41c03803306b0ee2111f7ef823

b79434613820faf30d58f103c4415a29

b8366aaa5ed51c0dea3fc90ef7e14889

b8f6b0d234a305c25411e83fd430c624

b956ed2b848dabb4e79ab7358233861b

b9ecb08402df0f1f6e1ce76b8ad6e91f

ba4a616c8d4ab9358a82b321d8e618bf

bcd62f3e029f96f62c24d50d2d1402ac

bcf75736d176394f3df69f3e0ef7dd9f

be1f24457141d80206bc2e58f55dc879

c013f308d170aa2eca4a5b0f0bbd3ccb

c0a2fd066c955137036f92da2c3a3ff1

c17b3ec40ed5216e44311138aafaea2c

c262a39f49604f05a5656213f758cd46

c66f36eb180438882133717c3abb5157

c986c7bf720ce1463c3d628d2b3dad01

c9c16287cbbe5a037244e374ba84aecc

cbcd728a2350712b5747cd3447473deb

cbeeb123efe8cf7f842426b673415c28

ccb15eef4287c8efa472915bcb4ec458

ccdddb69e9344a039c4ac9c49a6f2d7b

cd1312be032256a10cf866af3e9afae9

ce0dd163d9e02bfd42d61024523cb134

ceef2e728db1b5ae15432f844eeb66e1

d12d98a0877f6e3c8b5a59f41cc4de9b

d131f17689f1f585e9bfdcdb72a626bb

d173076d97a0400a56c81089912b9218

d255291bb8e460626cb906ebacc670e5

d2cea317778ad6412c458a8a33b964fd

d3cfee76468a9556fd9d017c1c8ee028

d3d72f4c7038f7313ad0570e16c293bf

d485a1b5db2f97dc56500376d677aa89

d662d20507bebc37b99a4d413afa2752

d711d577b9943ab4e2f8a2e06bb963e3

d92e87d2689957765987e2be732d728e

d966c6c822122e96f6e9f5f1d4778391

daee31d7cc6e08ead6afad2175989e1d

dbb293176747fa1c2e03cbc09433f236

dc26ef761c7ec40591b1fe6e561b521d

dc9e6edeb7557bc80be68be15cebb77a

dddfbae77336120febd5ad690af3e341

e1f579227327ebb21cde3f9e7511db01

e3c642432a815a07f035e01308aaa8fc

e54329351788661f2a8d4677a759fc42

e82b7ad2c05f4617efbc86a78c1e61e9

e99cffa2afa064625f09e1c5aca8f961

ea6bd3db104ca210b5ad947d46134aaf

eb277d809a59d39d02605c0edd9333e9

ed82a50d98700179c8ae70429457477a

ef35374f4146b3532f0902d6f7f0ef8c

ef4c4d79f02ac404f47513d3a73e20c7

f05a5a60ad6f92d6f28fa4f13ded952f

f0776dfe17867709fdb0e0183ed71698

f20fbfd508e24d50522eadf0186b03eb

f3d751b0585855077b46dfce226cfea1

f4dd9bb28d680a3368136fb3755e7ea9

f804388f302af1f999e4664543c885a1

f8bcc8f99a3afde66d7f5afb5d8f1b43

f8d6f89aecf792e844e72015c9f27c95

f967460f8c6de1cedb180c90c98bfe98

f9d5cc0cbae77ea1a371131f62662b6b

fa4f1a3b215888bc5f19b9f91ba37519

fdff2bf247a7dad40bac228853d5a661

fe6e7fac4f0b4f25d215e28ca8a22957

fe9de1cdd645971c5d15ee1873c3ff8d

febba89b4b9a9649b3a3bf41c4c7d853

NCSC-NO observed the following user agents communicating with Exchange (OWA and EWS):

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

NCSC-NO observed the following user agents communicating with Exchange webshell:

Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7

Mozilla/5.0 (Linux; Android 7.0; Moto C Build/NRD90M.059) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.02272.101 Safari/537.36

Mozilla/5.0 (Linux; Android 5.1.1; SAMSUNG SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, Like Gecko) SamsungBrowser/6.4 Chrome/56.0.2924.87 Mobile Safari/537.36

Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.45 (KHTML, like Gecko) Version/9.0 Mobile/13A452 Safari/601.1

NCSC-NO observed the following user agents communicating with Exchange Autodiscover:

ExchangeServicesClient/15.00.0913.015

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/114.0

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.0.0

NCSC-NO observed the following user agents communicating with EWS (/ews/Exchange.asmx):

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 Edg/103.0.1264.49

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

NCSC-NO observed the following user agent communicating with Exchange (/powershell):

Windows WinRM Client

Source…

Preventing Web Application Access Control Abuse

July 28, 2023/in Alerts

SUMMARY

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.

These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.

ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce prevalence of IDOR flaws and protect sensitive data in their systems.

Vendors, designers, and developers of web application frameworks and web applications: Implement secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.
- Use automated tools for code review to identify and remediate IDOR and other vulnerabilities.
- Use indirect reference maps, ensuring that IDs, names, and keys are not exposed in URLs. Replace them with cryptographically strong, random values—specifically use a universally unique identifier (UUID) or a globally unique identifier (GUID).
- Exercise due diligence when selecting third-party libraries or frameworks to incorporate into your application and keep all third-party frameworks and dependencies up to date.
All end-user organizations, including organizations with software-as-a-service (SaaS) models:
- Use due diligence when selecting web applications. Follow best practices for supply chain risk management and only source from reputable vendors.
- Apply software patches for web applications as soon as possible.
End-user organizations deploying on-premises software, infrastructure-as-a-service (IaaS), or private cloud models:
- Review the available authentication and authorization checks in web applications that enable modification of data, deletion of data, or access to sensitive data.
- Conduct regular, proactive vulnerability scanning and penetration testing to help ensure internet-facing web applications and network boundaries are secure.

Download the PDF version of this report:

TECHNICAL DETAILS

Description

IDOR vulnerabilities are access control vulnerabilities in web applications (and mobile phone applications [apps] using affected web API) that occur when the application or API uses an identifier (e.g., ID number, name, or key) to directly access an object (e.g., a database record) but does not properly check the authentication or authorization of the user submitting the request. Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions.

Horizontal IDOR vulnerabilities occur when a user can access data that they should not be able to access at the same privilege level (e.g., other user’s data).
Vertical IDOR vulnerabilities occur when a user can access data that they should not be able to access because the data requires a higher privilege level.
Object-level IDOR vulnerabilities occur when a user can modify or delete an object that they should not be able to modify or delete.
Function-level IDOR vulnerabilities occur when a user can access a function or action that they should not be able to access.

Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed—allowing any user to use or modify the identifier.

In body manipulation, an actor modifies the HTML form field data in the body of a POST request to impact targeted records.
In URL tampering, an actor modifies an identifier in URLs to impact targeted records.
In cookie ID manipulation, the actor modifies an identifier in a cookie to an identifier of a different user (including administrative users) in an attempt to gain access to that account.
In HTTP/JSON request tampering, an actor uses a web proxy to intercept and alter arbitrary portions of legitimate requests, including values inside JSON objects.

Impact

These vulnerabilities are common[1] and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools. These factors place end-user organizations at risk of data leaks (where information is unintentionally exposed) or large-scale data breaches (where a malicious actor obtains exposed sensitive information). Data leaks or breaches facilitated by IDOR vulnerabilities include:

An October 2021 global data leak incident where mobile phone data, including text messages, call records, photos, and geolocation from hundreds of thousands of devices was exposed by insecure “stalkerware” apps.[2] The apps collected and relayed data from the phones to the same foreign server infrastructure, which contained an IDOR vulnerability, CVE-2022-0732.[3] This led to exposure of the collected app data.[4]
A 2019 data breach incident where more than 800 million personal financial files, including bank statements, bank account numbers, and mortgage payment documents, from a U.S. Financial Services Sector organization were exposed.[5],[6]
A 2012 data breach incident where a malicious cyber actor obtained the personal data of more than 100,000 mobile device owners from a U.S. Communications Sector organization’s publicly accessible website.[7]

MITIGATIONS

Vendors and Developers

ACSC, CISA, and NSA recommend that vendors, designers, and implementors of web applications—including organizations that build and deploy software (such as HR tools) for their internal use and organizations that create open-source projects—implement the following mitigations. These mitigations may reduce prevalence of IDOR vulnerabilities in software and help ensure products are secure-by-design and -default.

Implement and inject secure-by-design and -default principles and best practices into each stage of the software development life cycle (SDLC). Particular recommended practices are defined in the National Institute of Security and Technology’s (NIST’s) Secure Software Development Framework (SSDF), SP 800-218. Lend special attention to:
- Conducting code reviews [SSDF PW 7.2, RV 1.2] against peer coding standards, checking for backdoors, malicious content, or logic flaws.
  - ACSC, CISA, and NSA recommend using automated code analysis tools for all supported releases to identify and remediate vulnerabilities.
- Following secure coding practices [SSDF PW 5.1] for web and mobile applications to ensure that they properly validate user input and generate strong user IDs.
  - Use indirect reference maps, such that IDs, names, and keys are not exposed in URLs. Replace them with cryptographically strong, random values—specifically use a UUID or a GUID. Note: UUIDs and GUIDs should not be used for security capabilities. See Request for Comment (RFC) 4122 for more information.
  - Configure applications to deny access by default and ensure the application performs authentication and authorization checks for every request to modify data, delete data, and access sensitive data. For example:
    - Normalize requests. There are many ways to encode and decode web inputs. Decode and normalize inputs before creating access control checkpoints. Ensure the access control system and other parts of the web application perform the same normalization.
    - Implement parameter verification leveraging syntactic and logical validation, such that web applications validate all inputs received with every HTTP/S request. Denying invalid requests can reduce the burden on the access control system.
      - Syntactic validation verifies that for each input the incoming value meets your applications’ expectations. When doing syntactic validation, verify that strings are within the minimum and maximum length required, strings do not contain unacceptable characters, numeric values are within the minimum and maximum boundaries, and the input is of the proper data type.
      - Logical validation adds checks to see if the input values make sense and are consistent with design intent. When doing logical validation, verify authorization checks are performed in the correct locations, are of varying pedigree, and that there is error handling of failed authentication and authorization requests.
  - Use CAPTCHA to limit automated invalid user requests where feasible.
  - Use memory-safe programming languages where possible.
- Testing code to identify vulnerabilities and verify compliance with security requirements [SSDF PW 8.2].
- Use automated testing tools to facilitate testing, fuzz testing tools to find issues with input handling,[8] and penetration testing to simulate how a threat actor may exploit the software. Consider using dynamic application security testing (DAST) tools to identify IDOR vulnerabilities in web applications.
- Conducting role-based training [SSDF PO 2.2] for personnel responsible for secure software development.
- Exercising due diligence when selecting third-party libraries or frameworks to incorporate into your application [SSDF PW 4.1].
  - Review and evaluate third-party components in the context of their expected use.
  - Verify the integrity of the product through hash or signature verification.
  - If provided, review component’s Software Bill of Materials (SBOM) for outdated, vulnerable, or unauthorized applications before using it.
  - Keep all third-party frameworks and dependencies up to date to limit vulnerability inheritance. Note: Organizations should maintain an inventory or catalog of third-party frameworks and dependencies to assist with proactive updates. Consider using tools to identify project dependencies and known vulnerabilities in third-party code. See OWASP’s Top Ten Proactive Controls 2018, C2: Leverage Security Frameworks and Libraries, for more information.
    For more information, see the joint Enduring Security Framework’s Securing the Software Supply Chain: Recommended Practices Guide for Developers, CISA’s Supply Chain Risk Management Essentials, and ACSC’s Cyber Supply Chain Risk Management.
Establish a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization.

Additionally, ACSC, CISA, and NSA recommend following cybersecurity best practices in production and enterprise environments. Software developers are high-value targets because their customers deploy software on their own trusted networks. For best practices, see:

ACSC’s Essential Eight. The Essential Eight are prioritized strategies to help cybersecurity professionals mitigate cybersecurity incidents caused by various cyber threats.
CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and NIST, are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures. Because the CPGs are a subset of best practices, ACSC, CISA, and NSA also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
NSA’s Top Ten Cybersecurity Mitigations. The Top Ten sets priorities for enterprise activities to counter a broad range of exploitation techniques and minimize mission impact.

All End-User Organizations

ACSC, CISA, and NSA recommend that all end-user organizations, including those with on-premises software, SaaS, IaaS, and private cloud models, implement the mitigations below to improve their cybersecurity posture.

Exercise due diligence when selecting web applications. Follow best practices for supply chain risk management and source from reputable vendors that demonstrate commitment to secure-by-design and -default principles.
Apply software patches for web applications as soon as possible.
Configure the application to log and generate alerts from tamper attempts—with this information, network defenders can investigate and take appropriate follow-on actions.
- Establish a baseline to efficiently identify abnormal behavior. Note: Web application error codes such as HTTP 404 and HTTP 403 are associated with common enumeration techniques.
- Aggregate logs into a centralized solution (e.g., a security information and event management [SIEM] tool) to facilitate active monitoring and threat hunting.
Create, maintain, and exercise a basic cyber incident response plan (IRP) and associated communications plan. Plans should include response and notification procedures for data breach and cyber incidents. For more information, see:

Additionally, ACSC, CISA, and NSA recommend following cybersecurity practices. For best practices, see ACSC’s Essential Eight, CISA’s CPGs, and NSA’s Top Ten Cybersecurity Mitigation Strategies.

End-User Organizations with On-Premises Software, IaaS, or Private Cloud Models

ACSC, CISA, and NSA recommend that organizations:

Conduct regular, proactive penetration testing to ensure network boundaries, as well as web applications, are secure. Prioritize web applications that are internet-facing and contain user login functionality. Such testing may be beyond the technical or financial capabilities of some organizations. Consider using a trusted third party for penetration testing to discover new attack vectors (notably prior to deployment of new or altered internet-facing services). Note: Organizations should consult with their legal counsel as appropriate to determine which systems and applications can be included in the scope of the penetration testing.
- Use web application penetration testing tools to capture the user identifier sent to the web server when requesting a web page containing sensitive data and map all locations where user input is used to reference objects directly. Test with users of various privilege levels (e.g., a normal user and admin user).
Use DAST and other vulnerability scanners to detect IDOR vulnerabilities. DAST tools identify vulnerabilities in web applications with penetration tests and generate automated alerts. Note: Exercise due diligence when selecting DAST tools. Not all DAST tools can detect IDOR vulnerabilities—tools with the ability may need the environment configured in a specific way and may also need custom rules in place. Sufficient DAST tools often ingest the application API documentation to build a model of the application. While these tools can be used to detect IDOR vulnerabilities, they are not foolproof and should be used with other security testing methods to ensure comprehensive coverage.
Immediately report detected vulnerabilities to the vendor or developer. Alternatively (or if the vendor or developer fails to respond), report the vulnerability to CISA at cisa.gov/report.
Consider establishing a vulnerability disclosure program to verify, resolve, and report security vulnerabilities disclosed by people who may be internal or external to the organization.
Use a web application firewall (WAF) to filter, monitor, and block malicious HTTP/S traffic traveling to the web application.
Use a data loss prevention (DLP) tool to prevent unauthorized data from leaving the application.

ACSC, CISA, and NSA recommend that organizations with on-premises software or IaaS consider using SaaS models for their internet-facing websites.

End-User Organizations with SaaS Models

Organizations leveraging SaaS with sufficient resources may consider conducting penetration testing and using vulnerability scanners. However, such tests may interfere with service provider operations. Organizations should consult with their legal counsel as appropriate to determine what can be included in the scope of the penetration testing.

INCIDENT RESPONSE

If you or your organization are victim to a data breach or cyber incident, follow relevant cyber incident response and communications plans, as appropriate.

Australia: Australian organizations that have been impacted or require assistance in regards to a cybersecurity incident can contact ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
United States: U.S. organizations may report cybersecurity incidents to CISA’s 24/7 Operations Center at [email protected], cisa.gov/report, or (888) 282-0870. When available, please include the information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

RESOURCES

REFERENCES

[1] A01 Broken Access Control – OWASP Top 10:2021

[2] A massive ‘stalkerware’ leak puts the phone data of thousands at risk

[3] Mobile device monitoring services do not authenticate API requests

[4] Behind the stalkerware network spilling the private phone data of hundreds of thousands

[5] First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

[6] Biggest Data Breaches in US History [Updated 2023]

[7] AT&T Hacker ‘Weev’ Sentenced to 3.5 Years in Prison

[8] Fuzzing | OWASP Foundation

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. ACSC, CISA, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States or Australian Governments, and this guidance shall not be used for advertising or product endorsement purposes.

PURPOSE

This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Source…

Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

July 21, 2023/in Alerts

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.

The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.

This advisory provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. If no compromise is detected, organizations should immediately apply patches provided by Citrix.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

In July 2023, a critical infrastructure organization reported to CISA that threat actors may have exploited a zero-day vulnerability in NetScaler ADC to implant a webshell on their non-production NetScaler ADC appliance. Citrix confirmed that the actors exploited a zero-day vulnerability: CVE-2023-3519. Citrix released a patch on July 18, 2023.[1]

CVE-2023-3519

CVE-2023-3519 is an unauthenticated RCE vulnerability affecting the following versions of NetScaler ADC and NetScaler Gateway:[1]

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC and NetScaler Gateway version 12.1, now end of life
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-65.36
NetScaler ADC 12.1-NDcPP before 12.65.36

The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.[1]

CISA added CVE-2023-3519 to its Known Exploited Vulnerabilities Catalog on July 19, 2023.

Threat Actor Activity

As part of their initial exploit chain [T1190], the threat actors uploaded a TGZ file [T1105] containing a generic webshell [T1505.003], discovery script [TA0007], and setuid binary [T1548.001] on the ADC appliance and conducted SMB scanning on the subnet [T1046].

The actors used the webshell for AD enumeration [T1016] and to exfiltrate AD data [TA0010]. Specifically, the actors:

Viewed NetScaler configuration files /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf [T1005]. Note: These configuration files contain an encrypted password that can be decrypted by the key stored on the ADC appliance [T1552.001].
Viewed the NetScaler decryption keys (to decrypt the AD credential from the configuration file) [T1552.004].
Used the decrypted AD credential to query the AD via ldapsearch. The actors queried for:
- Users (objectClass=user) (objectcategory=person) [T1033]
- Computers (objectClass=computer) [T1018]
- Groups (objectClass=group) [T1069.002]
- Subnets (objectClass=subnet)
- Organizational Units (objectClass=organizationalUnit)
- Contacts (objectClass=contact)
- Partitions (objectClass=partition)
- Trusts (objectClass=trustedDomain) [T1482]
Used the following command to encrypt discovery data collected via openssl in “tar ball” [T1560.001]: tar -czvf - /var/tmp/all.txt | openssl des3 -salt -k <> -out /var/tmp/test.tar.gz. (A “tar ball” is a compressed and zipped file used by threat actors for collection and exfiltration.)
Exfiltrated collected data by uploading as an image file [T1036.008] to a web-accessible path [T1074]: cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png.

The actors’ other discovery activities were unsuccessful due to the critical infrastructure organization’s deployment of their NetScaler ADC appliance in a segmented environment. The actors attempted to:

Execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets.
Verified outbound network connectivity with a ping command (ping -c 1 google.com) [T1016.001].
Executed host commands for a subnet-wide DNS lookup.

The actors also attempted to delete their artifacts [TA0005]. The actors deleted the authorization configuration file (/etc/auth.conf)—likely to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI) [T1531]. To regain access to the ADC appliance, the organization would normally reboot into single use mode, which may have deleted artifacts from the device; however, the victim had an SSH key readily available that allowed them into the appliance without rebooting it.

The actors’ post-exploitation lateral movement attempts were also blocked by network-segmentation controls. The actors implanted a second webshell on the victim that they later removed. This was likely a PHP shell with proxying capability. The actors likely used this to attempt proxying SMB traffic to the DC [T1090.001] (the victim observed SMB connections where the actors attempted to use the previously decrypted AD credential to authenticate with the DC from the ADC via a virtual machine). Firewall and account restrictions (only certain internal accounts could authenticate to the DC) blocked this activity.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1–Table 9 for all referenced threat actor tactics and techniques in this advisory.

*Table 1: Cyber Threat Actors ATT&CK Techniques for Initial Access*
Technique Title	ID	Use
Exploit Public-Facing Application	T1190	The threat actors exploited CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.

*Table 2: Cyber Threat Actors ATT&CK Techniques for Persistence*
Technique Title	ID	Use
Server Software Component: Web Shell	T1505.003	The threat actors implanted a generic webshell on the organization’s NetScaler ADC appliance.

*Table 3: Cyber Threat Actors ATT&CK Techniques for Privilege Escalation*
Technique Title	ID	Use
Abuse Elevation Control Mechanism: Setuid and Setgid	T1548.001	As part of their initial exploit chain uploaded a TGZ file contain a `setuid` binary on the ADC appliance.

Table 4: Cyber Threat Actors ATT&CK Techniques for Defense Evasion
Technique Title	ID	Use
Masquerading: Masquerade File Type	T1036.008	The threat actors exfiltrated data by uploading it as an image file to a web-accessible path.

Table 5: Cyber Threat Actors ATT&CK Techniques for Credential Access
Technique Title	ID	Use
Unsecured Credentials: Credentials In Files	T1552.001	The threat actors obtained encrypted passwords from NetScaler ADC configuration files, and the decryption key was stored on the ADC appliance.
Unsecured Credentials: Private Keys	T1552.004	The threat actors obtained decryption keys to decrypt the AD credential obtained from the NetScaler ADC configuration files.

*Table 6: Cyber Threat Actors ATT&CK Techniques for Discovery*
Technique Title	ID	Use
Domain Trust Discovery	T1482	The threat actors queried the AD for trusts.
Permission Groups Discovery: Domain Groups	T1069.002	The threat actors quired the AD for groups.
Remote System Discovery	T1018	The threat actors queried the AD for computers. The threat actors attempted to execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets. Network-segmentation controls prevented this activity.
System Network Configuration Discovery	T1016	The actors used a webshell for AD enumeration.
System Network Configuration Discovery: Internet Connection Discovery	T1016.001	The threat actors attempted to verify outbound network connectivity with a ping command and executed host commands for a subnet-wide DNS lookup. Network-segmentation controls prevented this activity.
Network Service Discovery	T1046	The threat actors conducted SMB scanning on the organization’s subnet.
Account Discovery: Domain Account	T1087.002	The threat actors queried the AD for users.

*Table 7: Cyber Threat Actors ATT&CK Techniques for Collection*
Technique Title	ID	Use
Archive Collected Data: Archive via Utility	T1560.001	The threat actors encrypted discovery data collected via openssl in “tar ball.”
Data from Local System	T1005	The threat actors viewed NetScaler ADC configuration files `flash/nsconfig/keys/updated/*` and `/nsconfig/ns.conf`.
Data Staged	T1074	The threat actors uploaded data as an image file to a web-accessible path: `cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png`.

*Table 8: Cyber Threat Actors ATT&CK Techniques for Command and Control*
Technique Title	ID	Use
Ingress Tool Transfer	T1105	The threat actors exploited CVE-2023-3519 to upload a TGZ file containing a generic webshell, discovery script, and setuid binary on the ADC appliance.
Proxy: Internal Proxy	T1090.001	The actors likely used a PHP shell with proxying capability to attempt proxying SMB traffic to the DC (the traffic was blocked by a firewall and account restrictions).

*Table 9: Cyber Threat Actors ATT&CK Techniques for Impact*
Technique Title	ID	Use
Account Access Removal	T1531	The threat actors deleted the authorization configuration file (/etc/auth.conf)—likely to prevent configured users from logging in remotely (e.g., CLI).

DETECTION METHODS

Run the following victim-created checks on the ADC shell interface to check for signs of compromise:

Check for files newer than the last installation.
Modify the -newermt parameter with the date that corresponds to your last installation:
- find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} \;
- find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
- find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
- find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
Check http error logs for abnormalities that may be from initial exploit:
- grep '\.sh' /var/log/httperror.log*
- grep '\.php' /var/log/httperror.log*
Check shell logs for unusual post-ex commands, for example:
- grep '/flash/nsconfig/keys' /var/log/sh.log*
Look for setuid binaries dropped:
- find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt [YYYYMMDD] -exec ls -l {} \;
Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC.
Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects).
Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration).
Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell).
Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.
Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection.
If logon restriction is configured for the AD account, check event 4625 where the failure reason is “User not allowed to logon at this computer.”
Review NetScaler ADC internal logs (sh.log*, bash.log*) for traces of potential malicious activity (some example keywords for grep are provided below):
- database.php
- ns_gui/vpn
- /flash/nsconfig/keys/updated
- LDAPTLS_REQCERT
- ldapsearch
- openssl + salt
Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources.

INCIDENT RESPONSE

If compromise is detected, organizations should:

Quarantine or take offline potentially affected hosts.
Reimage compromised hosts.
Provision new account credentials.
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
Report the compromise to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

MITIGATIONS

CISA recommends all organizations:

Install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as possible. See Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 for patch information.
Follow best cybersecurity practices in your production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of information technology (IT) and operational technology (OT) security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and ACSC also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
As a longer-term effort, apply robust network-segmentation controls on NetScaler appliances, and other internet-facing devices.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Table 1–Table 9).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

[1] Citrix Security Bulletin CTX561482: Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Source…