Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021

International cybersecurity agencies issue a joint alert outlining the top malware strains of 2021. We identified vulnerabilities associated with these strains.

Background

On August 4, the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) released a joint cybersecurity advisory regarding the top malware strains observed being exploited throughout 2021. According to this advisory, most of these top strains have been seen in use for over five years, through different variations and evolutions.

While malware is used for a variety of purposes, the government agencies point out that ransomware is a primary use case.

Analysis

Malware is most commonly distributed in phishing messages or malicious documents and websites; it often still relies on unpatched vulnerabilities to gain elevated privileges, move throughout target environments and execute code. We have analyzed reports on the malware strains to identify any vulnerabilities associated with them. This doesn’t represent an exhaustive list of vulnerabilities exploited by malware, but it is a helpful starting point for organizations to cut off attack paths for these most prevalent strains.

Based on this list, we have identified a few key themes regarding the vulnerabilities used in malware.

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 4 and reflects VPR at that time.

Source: Tenable Research, August 2022

Notably, 14 of the 17 vulnerabilities identified are in Microsoft products. Nine of the flaws are code execution vulnerabilities and five are memory corruption. It is interesting to see that there is only one elevation of privilege flaw, given that vulnerability type’s utility to other threat actors.

CVE-2017-11882, a memory corruption remote code execution flaw in Microsoft Office, is an interesting case. From what we have seen, it is widely exploited by malware, including six of the 11 strains listed in this advisory and Emotet. In 2019, CVE-2017-11882 was identified as the most common delivery method for spreading malware by Cofense. It was also identified as a routinely exploited vulnerability in both 2020 and 2021 according to several government cybersecurity agencies.

We routinely see CVE-2017-11882 being used by various malware strains, including Trickbot and Qakbot, which are both first-stage malware components that download secondary and tertiary malware, which may include a variety of ransomware. Ultimately, vulnerabilities like CVE-2017-11882, CVE-2017-0199 and CVE-2021-40444 are just vehicles for threat actors to gain initial access into a targeted network.

Vulnerabilities used by ransomware affiliates and IABs

Several vulnerabilities connected to the joint alert have been utilized by key players in the ransomware ecosystem, including Initial Access Brokers (IABs) and ransomware affiliates. The flaws have also been used as part of first stage malware components to deploy ransomware.

The LockBit ransomware group and its affiliates have been seen using CVE-2020-0787, an elevation of privilege vulnerability in the Microsoft Windows Background Intelligent Transfer Service. CVE-2021-34527, an elevation of privilege vulnerability in the Windows Print Spooler service, referred to as PrintNightmare, has been utilized by several ransomware groups including Vice Society, Conti, Magniber and Black Basta. Elevation of privilege vulnerabilities are valuable tools as part of post-compromise activity, once an attacker has gained access to a vulnerable system with limited privileges.

CVE-2021-40444, a remote code execution vulnerability in Microsoft MSHTML, was used by EXOTIC LILY, an IAB that worked directly with the Conti ransomware group. IABs specialize in gaining initial access to an organization and selling access to a variety of threat actors, including ransomware affiliates or in rare instances, partnering directly with ransomware groups like Conti. We dive into the various players in our Ransomware Ecosystem report, which includes a broader list of known vulnerabilities leveraged by IABs, affiliates and ransomware groups.

Adoption of CVE-2022-30190, aka Follina

The majority of the vulnerabilities identified are at least two years old, which tracks with the “if it isn’t broken, don’t fix it” approach most attackers take in their toolsets. If seven-year-old vulnerabilities are still working, why would they adopt new ones?

One vulnerability that busts this trend is CVE-2022-30190, aka “Follina,” a zero day publicly disclosed in May of this year based on attacks in April. Its speedy adoption into malware (Qakbot and Remco specifically) shows the confounding nature of threat actors. They will rely on old faithful vulnerabilities like CVE-2017-11882, but they’ll also bring new flaws into their repertoire, especially when there is publicly available proof-of-concept code.

Top malware use top exploited vulnerabilities of 2021

In April, CISA, the National Security Agency, Federal Bureau of Investigation, ACSC, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre, and United Kingdom’s National Cyber Security Centre released an advisory listing the top routinely exploited vulnerabilities of 2021. The report highlighted 36 vulnerabilities frequently exploited by threat actors; four of those are also represented in malware associated with this latest advisory — two of them were released after the relevant timeframe.

Two of the vulnerabilities that appear on both lists, CVE-2021-34527 (PrintNightmare) and CVE-2021-40444, were also among the top five vulnerabilities of 2021 in Tenable’s Threat Landscape Retrospective. We have seen sustained exploitation of these flaws by diverse threat actors since their disclosure. The continued exploitation is troubling evidence that organizations are leaving these flaws unremediated, which is particularly concerning considering how many Print Spooler flaws Microsoft has patched in the intervening year since PrintNightmare.

When making prioritization decisions, it’s always valuable to consider multiple data points. While the majority of the vulnerabilities associated with this malware advisory may not have been the top exploited flaws in 2021, remediating them is still an important step to reducing risk. It’s about cutting down known paths of exploitation.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear for the vulnerabilities referenced in this post.

Get more information

Joint Cybersecurity Advisory A22-216A
AA22-117A: 2021 Top Routinely Exploited Vulnerabilities
Tenable’s Ransomware Ecosystem report

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

The standard is designed to provide buyers of application security assessment services with high levels of assurance

Read More

The US was the main target of attackers, followed by Switzerland, India, Japan and the UK

Read More

Cybersecurity vendor Deep Instinct has announced the launch of Deep Instinct Prevention for Applications, a new antimalware software product that detects and stops malicious files in transit.

Prevention for Applications is deployed via a container within a customer’s environment and does not require cloud access, with device and system agnostic flexibility that allows it to be implemented to protect any application. It advances threat protection beyond the endpoint with in-transit file scanning via API.

Karen Crowley, Director of Product Solutions at Deep Instinct, tells CSO that PDF and Office files remain a large attack target as they are so widely used. “PDF documents can contain text, images, and codes that can be weaponized with hidden scripts that won’t be detected and endanger the organization,” she says. “These files could open a backdoor and allow cybercriminals to access devices and then pivot to other areas of the network.”

To read this article in full, please click here

Read More

Whether big or small, you can’t afford to take a passive approach to ransomware. You need to shift to active ransomware defense.

Read More

SIKE is one of the new algorithms that NIST recently added to the post-quantum cryptography competition.

It was just broken, really badly.

We present an efficient key recovery attack on the Supersingular Isogeny Diffie­-Hellman protocol (SIDH), based on a “glue-and-split” theorem due to Kani. Our attack exploits the existence of a small non-scalar endomorphism on the starting curve, and it also relies on the auxiliary torsion point information that Alice and Bob share during the protocol. Our Magma implementation breaks the instantiation SIKEp434, which aims at security level 1 of the Post-Quantum Cryptography standardization process currently ran by NIST, in about one hour on a single core.

News article.

Read More

Pornhub has a problem, the UK’s Co-op supermarket is accused of big brother tactics, and we take a look at how a security researcher is revealing the true identify of hackers.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Read More

Thousands of hot wallets drained in latest crypto blow

Read More

This blog was jointly written with Kumar Ramachandran, Senior Vice President, Palo Alto Networks

Most people can recall a time when computers were pieces of equipment that remained in a fixed location. Because of this, security was less of an issue outside of an organization’s own walls.

That all changed when laptop computers and mobile devices ushered in the era of the mobile workforce. By the early 2000s, more companies started relying on remote access technology to enable users to work while traveling or from home.  Employees or contractors could connect with applications hosted at the data center, and communications were encrypted to prevent man-in-the-middle attacks.

Over time, applications started migrating out of the data center and into the cloud. Businesses began to recognize the benefits of offering a “work from anywhere” model and the potential cost savings of supporting a “bring your own device” (BYOD) program. These trends highlighted the limitations of legacy remote access infrastructure from both a user experience, as well as a security standpoint.  It was never designed to support so many concurrent users, so the increased load led to considerable latency. Once connected to the network, users had access to an entire network segment, typically far more than needed to complete job duties. Premises-based security, such as firewalls, could be bypassed by working off-network.

Zero Trust network access (ZTNA) was designed to overcome these shortcomings by enabling administrators to grant consistent, high-performance access to specific applications by role or by user. Cloud-destined traffic would no longer have to be hair-pinned to the data center. The technology follows the user, wherever they conduct business, regardless of whether they connect to the network. While this is surely an improvement over legacy remote access technology, more is needed to truly align it with the core principles of the Zero Trust framework.

Introducing ZTNA 2.0: Security designed for today’s highly-distributed business environment 

According to a 2022 AT&T Cybersecurity Insights Report, 94% of survey respondents say they are currently on a Zero Trust journey, which includes research, implementation and completion. The ultimate goal of ZTNA 2.0 is to enforce an access control policy that eliminates implicit trust and continuously validates every stage of a digital interaction with all network connections, whether hosted on-premises or in the cloud. 

When evaluating ZTNA solutions, businesses should ask the following questions to ensure that they are obtaining a solution that offers superior user experience and protection:

Does this technology truly enforce the principle of least privilege access? ZTNA 2.0 moves beyond validating users based on network constructs, such as IP address, fully qualified domain name, or port number. It instead identifies applications at layer 7, the layer where users communicate with other computers and networks, enabling precise access control at the application and sub-application levels.
Is trust continuously verified? Many ZTNA solutions validate that a user has permission to access an application, connect them, and stop there. Unfortunately, insider threats represent a significant risk to organizations. Furthermore, if a device is lost, stolen or being used by a family member, unauthorized users may gain access to sensitive information. With ZTNA 2.0, trust is continuously verified based on changes in device posture, user behavior and application behavior.
Is traffic continuously inspected for threats? ZTNA was originally designed as solely an access control mechanism, with no ability to detect or prevent malware, which can be encountered while interacting with email, websites or collaboration applications after gaining access to the network. ZTNA 2.0 provides deep and ongoing inspection of all traffic, even for allowed connections, to prevent all threats including those previously unknown (zero-day).
Do I gain visibility into where my data is stored? If you don’t know where your data is being stored, there is no possibility of defending it against unauthorized access or loss. In a ZTNA 2.0 environment, organizations gain consistent control of data across all applications used in the enterprise, including private applications and SaaS, through a single data-loss prevention policy.
Are all of my applications secured? Some ZTNA solutions only address a subset of private applications that use static ports, which creates vulnerabilities for cloud-native/SaaS applications and those that use dynamic ports like voice and video applications. ZTNA 2.0 safeguards all applications used across the enterprise, including modern cloud-native applications, legacy-private applications and SaaS applications. 

Zero Trust with AT&T — for a better today and tomorrow

In the years ahead, security will become even more important as more Internet of Things (IoT) devices come online, and hybrid or remote workforces become entrenched in corporate cultures. Both cloud and IoT networks are more dynamic than other networks and often have shared tenancy. This is where ZTNA 2.0 becomes imperative. Standard, legacy security measures are not compatible with today’s fast-changing networking environment. ZTNA 2.0 brings network security in line with current technology trends.

Zero Trust with AT&T and Palo Alto Networks helps protect organizations of all sizes while allowing for more streamlined connectivity and productivity in today’s distributed work environment. Adopting best-in-class security and protecting against threats reduces the risk of data breaches and enhances user productivity, with an optimal work-from-anywhere experience.

By adopting ZTNA 2.0, organizations are also helping position themselves for whatever comes next.

Read More