Over the past 24 months, Optiv's^® Global Threat Intelligence Center (gTIC) observed, collected, and analyzed multiple data points and information derived from Optiv's own Enterprise Incident Management (EIM) team's engagements as well as external industry reporting pertaining to cyber incidents and intrusions. Our risk-based and proactive approach to cyber threat intelligence (CTI) yielded a list of the most commonly targeted and exploited software and services that organizations should prioritize in terms of patch management, hardening, asset inventory, and visibility. These products and services are known to be targeted by all types of cyber adversaries including hacktivists, cyber-criminals, and state-sponsored entities. These are products and services that are currently, and forecasted with High Confidence to be, targeted and exploited by adversaries.

In addition to the list, Optiv's gTIC also took the additional step of correlating each of these to the MITRE ATT&CK^®1 Tactics that enable further Techniques and procedures for adversaries to carry out their attacks. The intent of mapping to the overall Tactics is to highlight the importance of our prioritized software and services list and the analysis that went into curating this list. Techniques, Sub-Techniques, and the multitude of tools and procedures associated with the general Tactics are not listed here, as they become too numerous with too many variables and unknowns. Attribution and correlation to specific named groups is also less relevant at this level of analysis and risk management.

This report serves as a high-level introduction to a series of posts in which Optiv’s gTIC go into more detail of adversaries, campaigns, malware, and specific tools and Techniques (mapped to the ATT&CK framework) associated with attacks or compromises leveraging each of the types of software and services from the list below.

Below is Optiv gTIC's Prioritized Software and Services List, along with the ATT&CK Tactics that can be achieved as a result of targeting and successful exploitation. Tactics are annotated with their corresponding TA* identifier throughout this report. It is important to note the list is not all inclusive but gives organizations and entities a solid starting point of the potential risks posed to their environments based off their asset lists and products as well as a starting point for defensive and countermeasure prioritization.ⁱ Please also see other blog posts in this series that include focus lists on Apache, Oracle WebLogic, Microsoft, and VMware prioritized software and services.

Critical Enterprise Software

Products and software that fall under this category are considered essential to business processes and continuity. The products enable internal and external communication; web and application servers; and file and data hosting, management, storage, and sharing. Adversaries target these types of software and products for various actions including accessing and exfiltrating data, gaining initial entry through phishing and malware disguised as legitimate files, installing backdoors and webshells, enumerating user credentials and privileges, and mapping out other parts of the network.

Apache^®Frameworks (e.g., Struts, Tomcat, HTTP Server, Kafka – see our Apache blog for more info)
TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0010 - Exfiltration
TA0011 - Command and Control
TA0040 - Impact

Image

Figure 1: Apache Framework Risks Mapped to MITRE Tactics²

Oracle^® WebLogic (see our WebLogic blog for more info)
TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0003 - Persistence
TA0009 - Collection
TA0011 - Command and Control
TA0040 - Impact

Microsoft^® Exchange (see our Microsoft blog for more info)
TA0001 - Initial Access
TA0002 - Execution
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0010 - Exfiltration
TA0040 - Impact

Microsoft^® SharePoint
TA0001 - Initial Access
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0009 - Collection
TA0010 - Exfiltration
TA0040 - Impact

Microsoft^® Office/O365
TA0001 - Initial Access
TA0002 – Execution
TA0005 - Defense Evasion
TA0009 - Collection

Microsoft^® SQL Server
TA0001 - Initial Access
TA0003 - Persistence
TA0006 - Credential Access
TA0007 - Discovery
TA0009 - Collection
TA0040 - Impact

VMWare^® Products (e.g., vCenter, vSphere, Horizon, ESXi, Workspace ONE – see our VMware blog for more info)
TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0004 - Privilege Escalation
TA0005 - Defense Evasion
TA0006 - Credential Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0040 - Impact

LifeRay^® Portal
TA0001 - Initial Access
TA0007 - Discovery
TA0008 - Lateral Movement

Adobe^® (e.g., Flash, Reader)
TA0002 - Execution

Content Management System Sites

WordPress^®
Joomla!^®
Drupal^®
LifeRay^®
Magento^®
WooCommerce^®
vBulletin^®

Content Management System (CMS) platforms allow organizations and entities to publish content as well as manage e-commerce through their websites. CMS pages are Very Likely to be exploited through vulnerabilities in plug-ins and applications that are installed to add or enhance features and functionality of CMS pages. A compromise of a CMS page can allow adversaries to upload malicious scripts or malware onto the page to infect visitors in drive-by or watering-hole attacks; manipulate, steal, or delete content; or obtain web administrator credentials.

TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0009 - Collection
TA0010 - Exfiltration
TA0011 - Command and Control

Image

Figure 2: CMS Platform Risks Mapped to MITRE Tactics

Software Development, Documentation, Code/Project Repositories

Jenkins^®
Docker^®
Atlassian^® (Confluence, Jira, others)
Codecov^®
Oracle^® Java Platform/Java SE

Products under this category provide developers an environment and infrastructure to create, maintain, and produce proprietary code and software related to enterprise applications, projects, and products that are used internally or part of their business portfolio. Given the type of information stored, these are highly sensitive environments, and successful compromise can allow an attacker access to sensitive data; discover user credentials and other sensitive directories; manipulate, destroy, or compromise existing code and projects which can be distributed as a supply-chain attack.

TA0001 - Initial Access
TA0002 - Execution
TA0006 - Credential Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0040 - Impact

VPN and Proxy Clients

Pulse Secure^®/Ivanti^® Pulse Connect Secure
Citrix^® ADC/Gateway
Fortinet^® FortiGate
Palo Alto^® GlobalProtect
Sangfor^® VPN

Virtual Private Network (VPN) clients allow users access into restricted and internal corporate resources, sites, and communications. A compromise of an insecure or vulnerable VPN client or application can give an adversary initial access into sensitive environments; access to internal documents; and ability to discover and access other assets and systems on the network.

TA0001 - Initial Access
TA0004 - Privilege Escalation
TA0007 - Discovery
TA0008 - Lateral Movement

Image

Figure 3: VPN Client Risks Mapped to MITRE Tactics

NAS Devices

QNAP^®
Synology^®
Zyxel^®

Network-attached storage (NAS) devices allow for users on the same network access to folders and files stored on the external NAS drive. Adversaries can leverage vulnerable and unprotected NAS devices for initial intrusion and access files and folders; identify other assets and user accounts associated with the compromised NAS device; drop malicious content onto the NAS device; or manipulate, steal, or delete files and folders.

TA0001 - Initial Access
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0007 - Discovery
TA0009 - Collection
TA0010 - Exfiltration
TA0040 - Impact

Remote Access and IT Management

Zoho^® ManageEngine
VMWare^® SaltStack

Remote access and management software allow network and IT administrators to manage configuration, accounts and access, patching, and changes of systems and resources across the network. A successful compromise of these services or administrator accounts associated with these services can grant adversaries access and visibility to network-attached devices and resources; credentials and privilege levels, and the ability to move across, or execute malware or code, across multiple devices. This grouping of products also includes products that may be open-source and lightweight (individually installed or licensed, rather than enterprise-wide). Such products include Splashtop, TeamViewer, AnyDesk, LogMeIn, VNC, RClone, and others.

TA0001 - Initial Access
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0040 - Impact

Image

Figure 4: NAS Device and Remote Admin Risks Mapped to MITRE Tactics

Protocols and Services

RDP
SMB/Samba
UPnP

These protocols allow for remote access and file sharing between systems and can be configured to be internal only or internet-facing. Exploitation of insecure and vulnerable protocols like RDP, SMB, or UPnP can allow an attacker to access the internal network and systems; identify other systems and devices and move across the network; exfiltrate data; or spread malware rapidly across the network to other devices.

TA0001 - Initial Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0010 - Exfiltration
TA0040 – Impact

Image

Figure 5: Protocol Risks Mapped to MITRE Tactics

Browsers

Google^® Chrome
Mozilla Firefox/ESR
Microsoft^® Internet Explorer
Microsoft^® Edge

Vulnerabilities and features in browsers can allow attackers to access and steal browser-stored credentials; execute code on the system; and escape browser-based protections and sandboxing to access the operating system.

TA0001 - Initial Access
TA0002 - Execution
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0009 - Collection

Image

Figure 6: Browser Based Risks Mapped to MITRE Tactics

Routers

MikroTik^®
ASUS^®

Exploitation of routers are common methods of compromise small and medium businesses and residential/home offices. Routers are exploited to add assets to existing botnets; install backdoors and webshells; intercept network traffic; access and obtain credentials; and identify devices and assets connected to the router(s).

TA0042 – Resource Development
TA0001 – Initial Access
TA0002 – Execution
TA0003 – Persistence
TA0004 – Privilege Escalation
TA0006 – Credential Access
TA0007 – Discovery
TA0008 – Lateral Movement
TA0011 – Command and Control

Identity Access Management

Okta^® SSO
ForgeRock^® AM
Oracle^® AMS
PingOne^®

Identity Access Management (IAM) products are a highly attractive target for sophisticated threat actors capable of leveraging a combination of stolen or acquired credentials with social engineering via email, SMS, or phone calls. Exploitation of vulnerabilities in public-facing instances are also attack vectors observed for Initial Access, Credential Access, and Privilege Escalation. Exploitation of IAM services allows threat actors the ability to create new accounts, modify existing accounts, and discover sensitive systems for data exfiltration or deployment of malware or ransomware.

TA0042 – Resource Development
TA0001 – Initial Access
TA0004 – Privilege Escalation
TA0003 – Persistence
TA0006 – Credential Access

Assessment

Based off vulnerability and exploitation trends over the last 6 months, Optiv’s gTIC assesses with High Confidence that the software, products, and services on our prioritized list above will continue to remain highly popular for targeting and exploitation by cyber adversaries over the next 12 months. This is primarily due to the breadth of access and subsequent effects provided by successful compromise of these products, services, and software. Additionally, Optiv’s gTIC estimates that over the next 12 months, Initial Access and Defense Evasion will Very Likely remain among the predominant and most important ATT&CK Tactics associated with adversary campaigns and attempts, as Initial Access is the first step in a successful attack before any other Tactic or Technique can be executed while Defense Evasion allows an adversary to remain undetected for as long as possible. Organizations and enterprises are advised to take inventory of whether any of the products in our prioritized list are present in their environment in addition to other risk-based variables (i.e., industry vertical, and geography), and assess the potential risk of a compromise of any accounts and systems that are associated with these products. From there, defensive measures and counteractions efforts can be prioritized and proposed to supplement existing security and risk management policies. Optiv’s gTIC provides additional focus lists on Apache, Oracle WebLogic, Microsoft and VMware prioritized software and services.

Appendix

References

¹MITRE ATT&CK^® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. More information about MITRE ATT&CK^® can be found at attack.mitre.org. All information about MITRE ATT&CK belongs to The MITRE Corporation subject to the following copyright: © 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK^® is licensed under the Terms of Use located at https://attack.mitre.org/resources/terms-of-use/".

²Links charts and graphs in this report were created by Optiv gTIC leveraging the ThreatQuotient^® Investigations platform.

ArsTechnica, ‘New Iranian wiper discovered in attacks on Middle Eastern companies’, 2019, https://arstechnica.com/information-technology/2019/12/new-iranian-wiper-discovered-in-attacks-on-middle-eastern-companies/

Chapman, Catherine, ‘Recorded Future reveals top 10 most exploited vulnerabilities in 2018’, 2019, https://portswigger.net/daily-swig/recorded-future-reveals-top-10-most-exploited-vulnerabilities-in-2018

Cisco Talos, ‘VPNFilter Update - VPNFilter exploits endpoints, targets new devices’, 2018, https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

Cofense, ‘Sharing Documents via SharePoint Is Always a Good Idea: Not always…’, 2021, https://cofense.com/blog/sharing-documents-sharepoint/

Eclypsium, ‘When Honey Bees Become Murder Hornets’, 2021, https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/

Fidelis Cybersecurity, ‘The Fidelis TRT Assesses Increased Malware Attacks Against QNAP NAS Devices’, 2020, https://fidelissecurity.com/threatgeek/threat-intelligence/fidelis-trt-assesses-increased-malware-attacks-against-qnap-nas-devices/

Fidelis Cybersecurity, ‘Fidelis Threat Intelligence Report – February/March 2021’, 2021, https://fidelissecurity.com/resource/report/fidelis-threat-intelligence-report-february-march-2021/

Lumen, ‘ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks’, 2022, https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/

Malwarebytes Labs, ‘The top 5 most routinely exploited vulnerabilities of 2021?’, 2022, https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/

Microsoft, ‘ZeroLogon is now detected by Microsoft Defender for Identity (CVE-2020-1472 exploitation)’, 2021, https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034

QRATOR, ‘Mēris botnet, climbing to the record’, 2021, https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/

Recorded Future, ‘The Top 10 Vulnerabilities Used by Cybercriminals in 2019’, 2020, https://go.recordedfuture.com/vulnerability-report-2019

TrendMicro, Cyclops Blink Sets Sights on Asus Routers’, 2022, https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html

US Cybersecurity & Infrastructure Security Agency, ‘Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities’, 2022, https://www.cisa.gov/uscert/ncas/alerts/aa22-117a

Analytical Comments, Statements, and Best Practices

Most Likely Course of Action (MLCOA) – the expected and probable tactics, techniques, and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.

Most Dangerous Course of Action (MDCOA) – tactics, techniques, or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.

Words of Estimated Probability – The gTIC employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, the gTIC leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:

Image

Confidence statements, as defined by Optiv's gTIC, apply to the reliability and relevance of information reported and are as follows:

Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.

ⁱ This information in this document is for general information purposes only. While Optiv endeavors to keep the information up to date and correct, Optiv makes no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to this document or the information, products, services, or related graphics contained in this document for any purpose. Any reliance you place on such information is therefore strictly at your own risk.