Behind the Scenes of the Adversary Exploit Process
June 3, 2020 • The Recorded Future Team
Vulnerability and patch management teams are continuously faced with the challenge of keeping up with countless patch updates without knowing which vulnerabilities are actually being exploited by threat actors. In fact, in 2019, there were over 12,000 vulnerabilities reported and classified through CVE, and the U.S. government and the National Vulnerability Database (NVD) have scored over 1,000 of those 12,000 vulnerabilities with a CVSS score of nine or higher, and deemed them “critical” to patch. The missing link for security teams is the overlap between the vulnerabilities in the systems being used and the ones that are actively being exploited by threat actors. This information can help security teams prioritize resources to make informed, data-driven decisions on threats.
In exploring the exploit development process that threat actors follow to infiltrate an organization, research conducted by Recorded Future’s Insikt Group determined that older vulnerabilities, often with easily accessible exploits or tutorials, remain popular among less sophisticated threat actors, as well as red teams and penetration testers. Below is a look at threat actors’ operations to better understand and thereby inform security teams’ patching and defensive posturing.
The use of an exploit facilitates a threat actor’s ability to gain access, collect information from, or otherwise exploit a victim system. However, to use an exploit, a threat actor must first identify the need an exploit should serve. Often, criminal threat actors will learn about vulnerabilities when the general public does, through news reporting or a company’s announcement of a patch.
For example, Recorded Future research uncovered that the most commonly exploited vulnerabilities are found in the most popular products, such as those made by Microsoft. And the more ubiquitous a software or operating system, the more interest will be garnered in a published or patched vulnerability. In the same research, Insikt Group found that vulnerability announcements from Microsoft and Google are the most discussed on underground communities since the start of 2019.
Finding the Weakness
After determining where a vulnerability exists, threat actors then need to find or create an exploit to take advantage of that vulnerability. The process of identifying vulnerabilities in software can require both automated and manual techniques to identify deficiencies such as privilege escalations, memory safety issues, or input validation bugs that, if exploited, can grant attackers permissions.
One automated technique that can be employed is fuzzing, in which input to a software program is randomly altered to see whether a crash can be produced (dumb fuzzing), or targeted input based on the protocol or software under assessment (smart fuzzing) is created to induce the same behavior. A manual technique, reverse engineering, can be employed by a human to look for potential bugs within the software or to possibly exploit a bug identified in an automated way.
Once a vulnerability is deemed to be of interest, a threat actor must then identify the exploitable aspect of the code by comparing the patched software and the previously vulnerable version. The differences can reveal the exploitable aspect of the code by identifying the location and contents of a patch.
Develop Usable Code
Once the weakness is found, further reverse engineering is required to understand how code can be weaponized and to exploit the software as part of a proof of concept prior to production. A threat actor may develop their own exploit code or incorporate published proof-of-concept code, but both must be further weaponized through incorporation into a utility or tool to facilitate the desired malicious activity. Developing their own tooling, no matter how patchwork, becomes essential for them to weaponize the vulnerability.
Productizing a vulnerability into an exploit is a consistent cost-benefit analysis that a threat actor calculates. To present a valuable target for exploitation, a vulnerability must first allow an actor to accomplish a specific goal. A few examples of an attacker’s goals for which a vulnerability might be required include elevating permissions on a victim’s system, gaining access to data within the system, gaining access to credentials, evading defenses on a system, or performing a specific action, such as remotely executing code.
After developing code that makes use of a vulnerability for exploitation, actors must then test their code to ensure it has the correct functionality, as well as evaluate the code’s ability to evade detections.
If an actor doesn’t have access to a sandbox to test their exploit, they may rely on external parties to show that the file can evade antivirus software, or run successfully. While experienced actors advise against checking popular multi-scanning services in favor of no-distribute sites, some may still test their malware in VirusTotal. Recorded Future’s underground forum collections showed that for the past three months, over 400 unique VirusTotal URLs were shared among forum members, implying that this method can be used to show proof of exploitation, or proof of evasion.
Recorded Future’s study to identify the most tested exploits and the adversary exploit process showed that older exploits will continue to be used in near-future intrusion attempts. Documenting the activity of these groups can inform the thinking of threat intelligence teams or vulnerability management teams that are just beginning to introduce security intelligence into their processes. Using the readily available data on these commonly used vulnerabilities and threats gives security teams the opportunity to introduce automation into their workflows to prevent intrusions, allowing them to shift their focus to emerging or less well-known threats.
For more information on the adversary exploit process used by threat actors to identify, test, and weaponize exploits, the most commonly exploited vulnerabilities, and recommended actions for security teams, check out the full report by Recorded Future’s Insikt Group, “Deconstructing the Adversary Exploit Process.”