The Dynamic Opportunistic Attacker Landscape
March 17, 2020
In today’s guest post, Bob Rudis from Rapid7 reminds us that emerging threats are now more likely than ever to turn into extended exploit campaigns.
We can use both passive and active data to paint interesting and compelling pictures to help others better understand the makeup of the Internet…
We’ve selected a few events from the whirlwind of activity that was 2019 to consider, so let’s get started.
A hot topic making headlines throughout 2019 was the release of CVE-2019-0708, aka BlueKeep, which patches a remote code execution weakness in Microsoft Remote Desktop Protocol (RDP).
Why all the fuss? Well, while organizations may use RDP quite heavily internally, there’s a ton of exposed nodes on the public Internet.
Organizations expose RDP to simplify service and application access, and attackers regularly share or sell working RDP credentials on criminal marketplaces (since the inventory of accessible systems is fairly rich). Having credentials is great, but it would be even better (for attackers) if they had a way into your system that just involved cleverly crafting network packets, which is what BlueKeep provides.
Knowing there’s both a plethora of targets and a method of gaining access that doesn’t require credentials (on unpatched systems), what has attacker activity looked like for RDP? Let’s take a look:
There are many interesting items here. First, recent RDP attacker activity – starting right before the release of CVE-2019-0708 – has dwarfed previous levels. What’s that, you ask? Before ? Yep. Prior to the official patch announcement, Project Heisenberg caught white, gray and black hats poking at RDP on the Internet with a fervor not seen before.
You might think all the activity after the CVE release was BlueKeep-related, but you’d be incorrect. The vast, vast majority of activity we see in Heisenberg is credential stuffing, with some attempts at using older, non-BlueKeep exploits coming in second. We do see probes looking for systems susceptible to BlueKeep, but we haven’t seen many direct exploit attempts.
This doesn’t mean you should be complacent. Attackers have an almost risk-free environment on the Internet, so they test out common attack patterns there, perfect them, then repeat them internally (once they get by your defenses with a phishing email) with a better guarantee of success. A bulletproof BlueKeep exploit (which would require major development effort even using the official Metasploit module) wouldn’t likely be wasted on an opportunistic Internet-wide campaign. So, make sure you’re patching your RDP systems and also protecting your externally facing ones with multi-factor authentication since credential stuffing isn’t going away anytime soon.
Our collective defender memories are fairly short, due in part to the Ooooh! Shiny! nature of the cybersecurity field. There’s a new celebrity vulnerability out regularly and we tend to gravitate towards the new and forget the old. Such is the case with EternalBlue, which stunned the world in 2017 during the WannaCry outbreak.
In 2019, there’s no real shortage of Windows Server Message Block (SMB) hosts on the Internet, and the following chart is a bit deceiving since ISPs around the globe are actively combatting SMB attacks. So, while the formerly millions of SMB nodes are technically no longer accessible via the Internet, they’re just one mis-queued router access control list (ACL) away from re-exposure.
To give you an idea of the impact WannaCry had on the SMB attack landscape we need to show you two charts. The first is the number of systems actively engaged in attacking SMB on a daily basis:
You’re reading that chart right. We now see upward of 45,000 unique IPv4s a day looking for exposed SMB servers hammering away at them. And, we mean hammering:
99.9% of all SMB activity in post-WannaCry has an EternalBlue exploit component to it. Frankly, we thought activity would go down as RDP activity picked up, but we’re seeing a serious uptick in overall SMB activity in 2020, with no signs of it stopping anytime soon. Much of the activity comprises attackers trying to hold on to their inventory of increasingly smaller numbers of exposed SMB hosts.
EternalBlue-based attacks also continue to fuel internal attacker campaigns, and with all the scot-free practice our adversaries get on the public-facing servers, their use of EternalBlue internally has only gotten more sophisticated. This is another case where keeping SMB off the Internet and ensuring you’ve properly patched and configured internal SMB systems will go a long way toward keeping your organization out of the headlines.
Our final story comes from something a bit more recent: widespread compromise of CVE-2019-19781, which turned out to be a remote code execution vulnerability in a very popular Citrix product. Project Sonar regularly finds just under 100,000 Citrix nodes on common ports on the public Internet:
Much like with RDP, bad actors sell access to Citrix systems with valid credentials on malicious marketplaces, but direct access to Citrix systems without credentials has some serious advantages and attackers wasted no time going after vulnerable systems. Strangely enough, we did not see widespread scanning or compromise activity, likely due to the regular spate of Citrix inventory scans having just been completed by various groups (plus, we have no honeypots emulating Citrix, so attackers would not be enticed to make such connections to our nodes).
Knowing that major organizations were being compromised, we developed a way to lightly (legally) fingerprint the versions of target systems and also identify systems that deployed the mitigation vs. the actual patch. We ran those studies the Friday following the patch release and cross-referenced our findings with the corpus of over 1,500 organizations we’ve researched to see who had Citrix in their public environment and whether or not those servers were safe from the exploit activity. The results were…not great:
We were glad to see many organizations that did have public-facing Citrix servers managed to patch or mitigate their exposure away, but far too many had done nothing on-system to prevent exploits.
This situation is almost the polar opposite of BlueKeep. Virtually everyone was watching for BlueKeep exploit activity and working diligently to patch and mitigate where possible (though there are many public-facing RDP servers that are vulnerable and/or compromised). The response to the Citrix issue was far more subdued, even with the knowledge of active, current exploit campaigns afoot.
In light of these RDP and SMB stories, the one thing we shouldn’t forget is that attackers have a much longer memory than we defenders seem to and this Citrix exploit will have a very long tail, especially if organizations continue to wait too long to patch or mitigate vulnerabilities.If you ever have any questions that our Internet telemetry projects can answer, drop us a note and our team will be glad to answer them.