gTIC Prioritized List + MITRE Tactics

Over the past 24 months, Optiv's® Global Threat Intelligence Center (gTIC) observed, collected, and analyzed multiple data points and information derived from Optiv's own Enterprise Incident Management (EIM) team's engagements as well as external industry reporting pertaining to cyber incidents and intrusions. Our risk-based and proactive approach to cyber threat intelligence (CTI) yielded a list of the most commonly targeted and exploited software and services that organizations should prioritize in terms of patch management, hardening, asset inventory, and visibility. These products and services are known to be targeted by types all of cyber adversaries including hacktivists, cyber-criminals, and state-sponsored entities. These are products and services that are currently, and forecasted with High Confidence to be, targeted and exploited by adversaries.

 

In addition to the list, Optiv's gTIC also took the additional step of correlating each of these to the MITRE ATT&CK®1 Tactics that enable further Techniques and procedures for adversaries to carry out their attacks. The intent of mapping to the overall Tactics is to highlight the importance of our prioritized software and services list and the analysis that went into curating this list. Techniques, Sub-Techniques, and the multitude of tools and procedures associated with the general Tactics are not listed here, as they become too numerous with too many variables and unknowns. Attribution and correlation to specific named groups is also less relevant at this level of analysis and risk management.

 

This report serves as a high-level introduction to a series of posts in which Optiv’s gTIC will go into more detail of adversaries, campaigns, malware, and specific tools and Techniques (mapped to the ATT&CK framework) associated with attacks or compromises leveraging each of the types of software and services from the list below.

 

 

Below is Optiv gTIC's Prioritized Software and Services List, along with the ATT&CK Tactics that can be achieved as a result of targeting and successful exploitation. Tactics are annotated with their corresponding TA* identifier throughout this report. It is important to note the list is not all inclusive but gives organizations and entities a solid starting point of the potential risks posed to their environments based off their asset lists and products as well as a starting point for defensive and countermeasure prioritization.i Please also see our other blog posts in this series that focus on Apache, Oracle WebLogic, Microsoft, VMware, NAS devices, and CMS platforms.

 

 

Critical Enterprise Software

Products and software that fall under this category are considered essential to business processes and continuity. The products enable internal and external communication; web and application servers; and file and data hosting, management, storage, and sharing. Adversaries target these types of software and products for various actions including accessing and exfiltrating data, gaining initial entry through phishing and malware disguised as legitimate files, installing backdoors and webshells, enumerating user credentials and privileges, and mapping out other parts of the network.

 

Apache®Frameworks (e.g., Struts, Tomcat, HTTP Server, Kafka – see our Apache blog for more info)
TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0010 - Exfiltration
TA0011 - Command and Control
TA0040 - Impact

 

Image
mitre_tactics_SZ_img1.jpg

Figure 1: Apache Framework Risks Mapped to MITRE Tactics2

 

Oracle® WebLogic (see our WebLogic blog for more info)
TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0003 - Persistence
TA0009 - Collection
TA0011 - Command and Control
TA0040 - Impact

 

Microsoft® Exchange (see our Microsoft blog for more info)
TA0001 - Initial Access
TA0002 - Execution
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0010 - Exfiltration
TA0040 - Impact

 

Microsoft® SharePoint
TA0001 - Initial Access
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0009 - Collection
TA0010 - Exfiltration
TA0040 - Impact

 

Microsoft® Office/O365
TA0001 - Initial Access
TA0002 – Execution
TA0005 - Defense Evasion
TA0009 - Collection

 

Microsoft® SQL Server
TA0001 - Initial Access
TA0003 - Persistence
TA0006 - Credential Access
TA0007 - Discovery
TA0009 - Collection
TA0040 - Impact

 

VMWare® Products (e.g., vCenter, vSphere, Horizon, ESXi, Workspace ONE – see our VMware blog for more info)
TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0004 - Privilege Escalation
TA0005 - Defense Evasion
TA0006 - Credential Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0040 - Impact

 

LifeRay® Portal
TA0001 - Initial Access
TA0007 - Discovery
TA0008 - Lateral Movement

 

Adobe® (e.g., Flash, Reader)
TA0002 - Execution

 

 

Content Management System Sites

See our CMS platforms blog for more info.

 

WordPress®
Joomla!®
Drupal®
LifeRay®
Magento®
WooCommerce®
vBulletin®

 

Content Management System (CMS) platforms allow organizations and entities to publish content as well as manage e-commerce through their websites. CMS pages are Very Likely to be exploited through vulnerabilities in plug-ins and applications that are installed to add or enhance features and functionality of CMS pages. A compromise of a CMS page can allow adversaries to upload malicious scripts or malware onto the page to infect visitors in drive-by or watering-hole attacks; manipulate, steal, or delete content; or obtain web administrator credentials.

 

TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0009 - Collection
TA0010 - Exfiltration
TA0011 - Command and Control

 

Image
mitre_tactics_SZ_img2.jpg

Figure 2: CMS Platform Risks Mapped to MITRE Tactics

 

 

Software Development, Documentation, Code/Project Repositories

Jenkins®
Docker®
Atlassian® (Confluence, Jira, others)
Codecov®
Oracle® Java Platform/Java SE
GitLab®

 

Products under this category provide developers with an environment and infrastructure to create, maintain, and produce proprietary code and software related to enterprise applications, projects, and products that are used internally or part of their business portfolio. Given the type of information stored, these are highly sensitive environments, and successful compromise of credentials or systems can allow an attacker access to sensitive data; discover and abuse user credentials and other sensitive directories; manipulate, destroy, or compromise existing code and projects which can be distributed as a supply-chain attack.

 

TA0001 - Initial Access
TA0002 - Execution
TA0006 - Credential Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0040 - Impact

 

 

VPN and Proxy Clients

Pulse Secure®/Ivanti® Pulse Connect Secure
Citrix® ADC/Gateway
Fortinet® FortiGate
Palo Alto® GlobalProtect
Sangfor® VPN
Cisco AnyConnect®

 

Virtual Private Network (VPN) clients allow users access into restricted and internal corporate resources, sites, and communications. A compromise of an insecure or vulnerable VPN client or application can give an adversary initial access into sensitive environments; access to internal documents; and ability to discover and access other assets and systems on the network.

 

TA0001 - Initial Access
TA0004 - Privilege Escalation
TA0007 - Discovery
TA0008 - Lateral Movement

 

Image
mitre_tactics_SZ_img3.jpg

Figure 3: VPN Client Risks Mapped to MITRE Tactics

 

 

NAS Devices

See our NAS devices blog for more info.

 

QNAP®
Synology®
Zyxel®

 

Network-attached storage (NAS) devices allow for users on the same network access to folders and files stored on the external NAS drive. Adversaries can leverage vulnerable and unprotected NAS devices for initial intrusion and access files and folders; identify other assets and user accounts associated with the compromised NAS device; drop malicious content onto the NAS device; or manipulate, steal, or delete files and folders.

 

TA0001 - Initial Access
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0007 - Discovery
TA0009 - Collection
TA0010 - Exfiltration
TA0040 - Impact

 

 

Remote Access and IT Management

Zoho® ManageEngine
VMWare® SaltStack

 

Remote access and management software allow network and IT administrators to manage configuration, accounts and access, patching, and changes of systems and resources across the network. A successful compromise of these services or administrator accounts associated with these services can grant adversaries access and visibility to network-attached devices and resources; credentials and privilege levels, and the ability to move across, or execute malware or code, across multiple devices. This grouping of products also includes products that may be open-source and lightweight (individually installed or licensed, rather than enterprise-wide). Such products include Splashtop, TeamViewer, AnyDesk, LogMeIn, VNC, RClone, and others.

 

TA0001 - Initial Access
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0040 - Impact

 

Image
mitre_tactics_SZ_img4.jpg

Figure 4: NAS Device and Remote Admin Risks Mapped to MITRE Tactics

 

 

Protocols and Services

RDP
SMB/Samba
UPnP

 

These protocols allow for remote access and file sharing between systems and can be configured to be internal only or internet-facing. Exploitation of insecure and vulnerable protocols like RDP, SMB, or UPnP can allow an attacker to access the internal network and systems; identify other systems and devices and move across the network; exfiltrate data; or spread malware rapidly across the network to other devices.

 

TA0001 - Initial Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0010 - Exfiltration
TA0040 – Impact

 

Image
mitre_tactics_SZ_img5.jpg

Figure 5: Protocol Risks Mapped to MITRE Tactics

 

 

Browsers

Google® Chrome
Mozilla Firefox/ESR
Microsoft® Internet Explorer
Microsoft® Edge

 

Vulnerabilities and features in browsers can allow attackers to access and steal browser-stored credentials; execute code on the system; and escape browser-based protections and sandboxing to access the operating system.

 

TA0001 - Initial Access
TA0002 - Execution
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0009 - Collection

 

Image
mitre_tactics_SZ_img6.jpg

Figure 6: Browser Based Risks Mapped to MITRE Tactics

 

 

Routers

MikroTik®
ASUS®
D-Link®
Netgear®
Cisco SD-WAN®

 

Exploitation of routers and router management software are common methods of compromising small and medium businesses and residential/home offices. Routers are exploited to add assets to existing botnets; install backdoors and webshells; intercept network traffic; access and obtain credentials; and identify devices and assets connected to the router(s).

 

TA0042 – Resource Development
TA0001 – Initial Access
TA0002 – Execution
TA0003 – Persistence
TA0004 – Privilege Escalation
TA0006 – Credential Access
TA0007 – Discovery
TA0008 – Lateral Movement
TA0011 – Command and Control

 

 

Identity Access Management

Okta® SSO
ForgeRock® AM
Oracle® AMS
PingOne®
BeyondTrust®

 

Identity Access Management (IAM) products are a highly attractive target for sophisticated threat actors capable of leveraging a combination of stolen or acquired credentials with social engineering via email, SMS, or phone calls. Exploitation of vulnerabilities in public-facing instances are also attack vectors observed for Initial Access, Credential Access, and Privilege Escalation. Exploitation of IAM services allows threat actors the ability to create new accounts, modify existing accounts, and discover sensitive systems for data exfiltration or deployment of malware or ransomware.

 

TA0042 – Resource Development
TA0001 – Initial Access
TA0004 – Privilege Escalation
TA0003 – Persistence
TA0006 – Credential Access

 

 

Firewall Appliances

Fortinet/FortiOS®
F5®
Palo Alto/PAN-OS®
SonicWall®
Sophos®

 

Firewall appliances and operating systems are frequently exploited for Initial Access, Credential Access, and Privilege Escalation. Common risks in firewall devices that are interrogated and exploited by threat actors include improper device configurations and security settings or authentication bypass vulnerabilities. These allow attackers to access internal systems; change, manipulate, or tamper with security settings and event logging; and acquire user credentials. Lack of multi-factor authentication mechanisms is a key contributor to firewall-based intrusions and remains a fundamental security measure; however, proper security settings and configurations and robust detection of anomalous activity remain important safeguards as authentication-bypass attacks can still evade MFA-enabled protections.

 

TA0001 – Initial Access
TA0004 – Privilege Escalation
TA0006 – Credential Access

 

 

File Transfer Tools and Software

Fortra GoAnywhere®
Progress MoveIT®
Cleo®
Accellion®
SolarWinds Serv-U®

 

Managed file transfer appliances (M/FTA) are legitimate programs designed to streamline and expedite large data, file, and directory transfers within an internal network or to an external repository. These tools are also leveraged by attackers during post-exploitation for Lateral Movement, Collection, and Exfiltration of internal data for monetization and data leak. These tools are also used to rapidly deploy malware and ransomware across internal networks. Remote and arbitrary code execution vulnerabilities in M/FTA have also been exploited to rapidly deploy ransomware across environments running vulnerable instances. Notably rare incidents involved attackers compromising the M/FTA software and distributing malware through malicious updates (software supply-chain attacks).

 

TA0001 – Initial Access
TA0002 – Execution
TA0007 – Discovery
TA0008 – Lateral Movement
TA0009 - Collection
TA0010 - Exfiltration

 

 

Assessment

Based off vulnerability and exploitation trends over the last 12 months, Optiv’s gTIC assesses with High Confidence that the software, products, and services on our prioritized list above will continue to remain highly popular for targeting and exploitation by cyber adversaries over the next 12 months. This is primarily due to the breadth of access and subsequent effects provided by successful compromise of these products, services, and software. Additionally, Optiv’s gTIC estimates that over the next 12 months, Initial Access, Credential Access and Defense Impairment (formerly Defense Evasion) will Very Likely remain among the predominant and most important ATT&CK Tactics associated with adversary campaigns and attempts. Initial Access is the first step in a successful attack before any other Tactic or Technique can be executed and is accomplished via phishing or use of compromise/leaked credentials to login into systems. Defense Impairment allows an adversary to remain undetected for as long as possible. by bypassing or manipulating detection and prevention appliances and solutions (e.g., EDR, anti-virus, IDS/IPS). Since late-2024 there has been an influx of open-source tools and projects dedicated to tampering with or disabling defense capabilities. These tools are collectively known as “EDR Killers”. Techniques to accomplish Credential Access and harvesting of login information remains the top post-exploit activity, including incidents and intrusions involving software and code library supply-chain compromises, use of AI agents or AI-assisted attacks, or exploitation of AI platforms and prompts to carry out attacks. Organizations and enterprises are advised to take inventory of whether any of the products in our prioritized list are present in their environment in addition to other risk-based variables (i.e., industry vertical, and geography), and assess the potential risk of a compromise of any accounts and systems that are associated with these products. From there, defensive measures and counteractions efforts can be prioritized and proposed to supplement existing security and risk management policies.

 

 

Analytical Comments, Statements, and Best Practices

Most Likely Course of Action (MLCOA) – the expected and probable tactics, techniques, and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.

 

Most Dangerous Course of Action (MDCOA) – tactics, techniques, or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.

 

Words of Estimated Probability – The gTIC employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, the gTIC leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:

 

Almost No Chance Very Unlikely Unlikely Roughly Even Chance Likely Very Likely Almost Certain(ly)y
Remote Highly Improbable Improbable (Improbably) Roughly Even Odds Probable (Probably) Highly Probable Nearly Certain
01-05% 05-20% 20-45% 45-55% 55-80% 80-95% 95-99%

 

Confidence statements, as defined by Optiv's gTIC, apply to the reliability and relevance of information reported and are as follows:

 

Confidence Level Optiv gTIC Definition Factors Quantitative Relevance
High Confidence information and/or intelligence is assessed to be of high reliability and value to drive operations and decision Established history, repeated observations and patterns, strong precedence to form professional assessment and prediction/extrapolation 75%+
Moderate Confidence information and/or intelligence is reasonable and warrants consideration or action or response where applicable Sporadic observations, limited historical references (too recent or too long of a gap to be considered “established”) 45-65%(+/- 10%)
Low Confidence Information and/or intelligence is unreliable or less relevant and provided as situational awareness lack of established history or observations, unreliable or circumstantial evidence < 35%

 

Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.

 

 

Appendix

 

References

1MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. More information about MITRE ATT&CK® can be found at attack.mitre.org. All information about MITRE ATT&CK belongs to The MITRE Corporation subject to the following copyright: © 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK® is licensed under the Terms of Use located at https://attack.mitre.org/resources/terms-of-use/".

 

2Links charts and graphs in this report were created by Optiv gTIC leveraging the ThreatQuotient® Investigations platform.

 

ArsTechnica, ‘New Iranian wiper discovered in attacks on Middle Eastern companies’, 2019, https://arstechnica.com/information-technology/2019/12/new-iranian-wiper-discovered-in-attacks-on-middle-eastern-companies/

 

Chapman, Catherine, ‘Recorded Future reveals top 10 most exploited vulnerabilities in 2018’, 2019, https://portswigger.net/daily-swig/recorded-future-reveals-top-10-most-exploited-vulnerabilities-in-2018

 

Cisco Talos, ‘VPNFilter Update - VPNFilter exploits endpoints, targets new devices’, 2018, https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

 

Cofense, ‘Sharing Documents via SharePoint Is Always a Good Idea: Not always…’, 2021, https://cofense.com/blog/sharing-documents-sharepoint/

 

Eclypsium, ‘When Honey Bees Become Murder Hornets’, 2021, https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/

 

Fidelis Cybersecurity, ‘The Fidelis TRT Assesses Increased Malware Attacks Against QNAP NAS Devices’, 2020, https://fidelissecurity.com/threatgeek/threat-intelligence/fidelis-trt-assesses-increased-malware-attacks-against-qnap-nas-devices/

 

Fidelis Cybersecurity, ‘Fidelis Threat Intelligence Report – February/March 2021’, 2021, https://fidelissecurity.com/resource/report/fidelis-threat-intelligence-report-february-march-2021/

 

Lumen, ‘ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks’, 2022, https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/

 

Malwarebytes Labs, ‘The top 5 most routinely exploited vulnerabilities of 2021?’, 2022, https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/

 

Microsoft, ‘ZeroLogon is now detected by Microsoft Defender for Identity (CVE-2020-1472 exploitation)’, 2021, https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034

 

QRATOR, ‘Mēris botnet, climbing to the record’, 2021, https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/

 

Recorded Future, ‘The Top 10 Vulnerabilities Used by Cybercriminals in 2019’, 2020, https://go.recordedfuture.com/vulnerability-report-2019

 

TrendMicro, Cyclops Blink Sets Sights on Asus Routers’, 2022, https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html

 

US Cybersecurity & Infrastructure Security Agency, ‘Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities’, 2022, https://www.cisa.gov/uscert/ncas/alerts/aa22-117a

 


i This information in this document is for general information purposes only. While Optiv endeavors to keep the information up to date and correct, Optiv makes no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to this document or the information, products, services, or related graphics contained in this document for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

Principal Consultant | Optiv
Aamil Karimi has over 19 years of experience in the practice of intelligence analysis and reporting in both the military (HUMINT and targeting) as well as in cybersecurity threat intelligence and risk management. His cybersecurity experience includes supporting incident response, threat research, and CISO teams in building and expanding the threat intelligence capabilities for Fortune 500 companies and managed security services providers (MSSPs). Aamil’s approach to cyber threat and risk intelligence stems from maintaining a focus on the fundamentals of relevance and timeliness for customers and incorporating a risk-based strategy to prioritize collection, analysis, and reporting efforts. This is accomplished by understanding and assessing the current state of each customers’ risk profile and identifying the most likely and most dangerous threats to support business preparedness and defensive actions. Prior to joining the cybersecurity field, Aamil spent six years in Afghanistan on both active duty and civilian deployments supporting HUMINT and targeting efforts for the US Army, US Air Force Office of Special Investigations, and US Special Operations Command in Principal and Subject Matter Expert (SME) capacities.

About Optiv Security: Secure greatness.® 
Optiv is the world’s largest pure-play cybersecurity company. With unmatched technology partnerships and deep technical expertise, Optiv securely enables the AI era for more than 6,000 clients. From financial services and health care, to government, energy and retail, organizations trust Optiv to advise, deploy and operate cybersecurity programs that reduce risk and deliver real results. Learn why Optiv is the most trusted brand in cyber at optiv.com.