gTIC Prioritized List + MITRE Tactics

Over the past 24 months, Optiv's® Global Threat Intelligence Center (gTIC) observed, collected, and analyzed multiple data points and information derived from Optiv's own Enterprise Incident Management (EIM) team's engagements as well as external industry reporting pertaining to cyber incidents and intrusions. Our risk-based and proactive approach to cyber threat intelligence (CTI) yielded a list of the most commonly targeted and exploited software and services that organizations should prioritize in terms of patch management, hardening, asset inventory, and visibility. These products and services are known to be targeted by all types of cyber adversaries including hacktivists, cyber-criminals, and state-sponsored entities. These are products and services that are currently, and forecasted with High Confidence to be, targeted and exploited by adversaries.

 

In addition to the list, Optiv's gTIC also took the additional step of correlating each of these to the MITRE ATT&CK®1 Tactics that enable further Techniques and procedures for adversaries to carry out their attacks. The intent of mapping to the overall Tactics is to highlight the importance of our prioritized software and services list and the analysis that went into curating this list. Techniques, Sub-Techniques, and the multitude of tools and procedures associated with the general Tactics are not listed here, as they become too numerous with too many variables and unknowns. Attribution and correlation to specific named groups is also less relevant at this level of analysis and risk management.

 

This report serves as a high-level introduction to a series of posts in which Optiv’s gTIC go into more detail of adversaries, campaigns, malware, and specific tools and Techniques (mapped to the ATT&CK framework) associated with attacks or compromises leveraging each of the types of software and services from the list below.

 

Below is Optiv gTIC's Prioritized Software and Services List, along with the ATT&CK Tactics that can be achieved as a result of targeting and successful exploitation. Tactics are annotated with their corresponding TA* identifier throughout this report. It is important to note the list is not all inclusive but gives organizations and entities a solid starting point of the potential risks posed to their environments based off their asset lists and products as well as a starting point for defensive and countermeasure prioritization.i

 

 

Critical Enterprise Software

Products and software that fall under this category are considered essential to business processes and continuity. The products enable internal and external communication; web and application servers; and file and data hosting, management, storage, and sharing. Adversaries target these types of software and products for various actions including accessing and exfiltrating data, gaining initial entry through phishing and malware disguised as legitimate files, installing backdoors and webshells, enumerating user credentials and privileges, and mapping out other parts of the network.

 

Apache®Frameworks (e.g., Struts, Tomcat, HTTP Server)
TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0010 - Exfiltration
TA0011 - Command and Control
TA0040 - Impact

 

Image
mitre_tactics_SZ_img1.jpg

Figure 1: Apache Framework Risks Mapped to MITRE Tactics2

 

Oracle® WebLogic
TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0003 - Persistence
TA0009 - Collection
TA0011 - Command and Control
TA0040 - Impact

 

Microsoft® Exchange
TA0001 - Initial Access
TA0002 - Execution
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0010 - Exfiltration
TA0040 - Impact

 

Microsoft® SharePoint
TA0001 - Initial Access
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0009 - Collection
TA0010 - Exfiltration
TA0040 - Impact

 

Microsoft® Office/O365
TA0001 - Initial Access
TA0002 – Execution
TA0005 - Defense Evasion
TA0009 - Collection

 

Microsoft® SQL Server
TA0001 - Initial Access
TA0003 - Persistence
TA0006 - Credential Access
TA0007 - Discovery
TA0009 - Collection
TA0040 - Impact

 

VMWare® Products (e.g., vCenter, vSphere, Horizon, ESXi, Workspace ONE)
TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0004 - Privilege Escalation
TA0005 - Defense Evasion
TA0006 - Credential Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0040 - Impact

 

LifeRay® Portal
TA0001 - Initial Access
TA0007 - Discovery
TA0008 - Lateral Movement

 

Adobe® (e.g., Flash, Reader)
TA0002 - Execution

 

 

Content Management System Sites

WordPress®
Joomla!®
Drupal®
Magento®
WooCommerce®

 

Content Management System (CMS) platforms allow organizations and entities to publish content as well as manage e-commerce through their websites. CMS pages are Very Likely to be exploited through vulnerabilities in plug-ins and applications that are installed to add or enhance features and functionality of CMS pages. A compromise of a CMS page can allow adversaries to upload malicious scripts or malware onto the page to infect visitors in drive-by or watering-hole attacks; manipulate, steal, or delete content; or obtain web administrator credentials.

 

TA0042 - Resource Development
TA0001 - Initial Access
TA0002 - Execution
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0009 - Collection
TA0010 - Exfiltration
TA0011 - Command and Control

 

Image
mitre_tactics_SZ_img2.jpg

Figure 2: CMS Platform Risks Mapped to MITRE Tactics

 

 

Software Development, Documentation, Code/Project Repositories

Jenkins®
Docker®
Atlassian® (Confluence, Jira)
Codecov®
Oracle® Java Platform/Java SE

 

Products under this category provide developers an environment and infrastructure to create, maintain, and produce proprietary code and software related to enterprise applications, projects, and products that are used internally or part of their business portfolio. Given the type of information stored, these are highly sensitive environments, and successful compromise can allow an attacker access to sensitive data; discover user credentials and other sensitive directories; manipulate, destroy, or compromise existing code and projects which can be distributed as a supply-chain attack.

 

TA0001 - Initial Access
TA0002 - Execution
TA0006 - Credential Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0040 - Impact

 

 

VPN and Proxy Clients

Pulse Secure®/Ivanti® Pulse Connect Secure
Citrix® ADC/Gateway
Fortinet® FortiGate
Palo Alto® GlobalProtect
Sangfor® VPN

 

Virtual Private Network (VPN) clients allow users access into restricted and internal corporate resources, sites, and communications. A compromise of an insecure or vulnerable VPN client or application can give an adversary initial access into sensitive environments; access to internal documents; and ability to discover and access other assets and systems on the network.

 

TA0001 - Initial Access
TA0004 - Privilege Escalation
TA0007 - Discovery
TA0008 - Lateral Movement

 

Image
mitre_tactics_SZ_img3.jpg

Figure 3: VPN Client Risks Mapped to MITRE Tactics

 

 

NAS Devices

QNAP®
Synology®

 

Network-attached storage (NAS) devices allow for users on the same network access to folders and files stored on the external NAS drive. Adversaries can leverage vulnerable and unprotected NAS devices for initial intrusion and access files and folders; identify other assets and user accounts associated with the compromised NAS device; drop malicious content onto the NAS device; or manipulate, steal, or delete files and folders.

 

TA0001 - Initial Access
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0007 - Discovery
TA0009 - Collection
TA0010 - Exfiltration
TA0040 - Impact

 

 

Remote Access and IT Management

Zoho® ManageEngine
VMWare® SaltStack

 

Remote access and management software allow network and IT administrators to manage configuration, accounts and access, patching, and changes of systems and resources across the network. A successful compromise of these services or administrator accounts associated with these services can grant adversaries access and visibility to network-attached devices and resources; credentials and privilege levels, and the ability to move across, or execute malware or code, across multiple devices.

 

TA0001 - Initial Access
TA0003 - Persistence
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0009 - Collection
TA0040 - Impact

 

Image
mitre_tactics_SZ_img4.jpg

Figure 4: NAS Device and Remote Admin Risks Mapped to MITRE Tactics

 

 

Protocols and Services

RDP
SMB/Samba
UPnP

 

These protocols allow for remote access and file sharing between systems and can be configured to be internal only or internet-facing. Exploitation of insecure and vulnerable protocols like RDP, SMB, or UPnP can allow an attacker to access the internal network and systems; identify other systems and devices and move across the network; exfiltrate data; or spread malware rapidly across the network to other devices.

 

TA0001 - Initial Access
TA0007 - Discovery
TA0008 - Lateral Movement
TA0010 - Exfiltration
TA0040 – Impact

 

Image
mitre_tactics_SZ_img5.jpg

Figure 5: Protocol Risks Mapped to MITRE Tactics

 

 

Browsers

Google® Chrome
Mozillav Firefox/ESR
Microsoft® Internet Explorer
Microsof® Edge

 

Vulnerabilities and features in browsers can allow attackers to access and steal browser-stored credentials; execute code on the system; and escape browser-based protections and sandboxing to access the operating system.

 

TA0001 - Initial Access
TA0002 - Execution
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0009 - Collection

 

Image
mitre_tactics_SZ_img6.jpg

Figure 6: Browser Based Risks Mapped to MITRE Tactics

 

 

Routers

MikroTik®
ASUS®

 

Exploitation of routers are common methods of compromise small and medium businesses and residential/home offices. Routers are exploited to add assets to existing botnets; install backdoors and webshells; intercept network traffic; access and obtain credentials; and identify devices and assets connected to the router(s).

 

TA0042 – Resource Development
TA0001 – Initial Access
TA0002 – Execution
TA0003 – Persistence
TA0004 – Privilege Escalation
TA0006 – Credential Access
TA0007 – Discovery
TA0008 – Lateral Movement
TA0011 – Command and Control

 

Based off vulnerability and exploitation trends over the last 6 months, Optiv’s gTIC assesses with High Confidence that the software, products, and services on our prioritized list above will continue to remain highly popular for targeting and exploitation by cyber adversaries over the next 12 months. This is primarily due to the breadth of access and subsequent effects provided by successful compromise of these products, services, and software. Additionally, Optiv’s gTIC estimates that over the next 12 months, Initial Access will Very Likely remain the predominant and most important ATT&CK Tactic associated with adversary campaigns and attempts, as it is the first step in a successful attack before any other Tactic or Technique can be executed. Organizations and enterprises are advised to take inventory of whether any of the products in our prioritized list are present in their environment, in addition to other risk-based variables (i.e., industry vertical, geography, etc.), and assess the potential risk of a compromise of any accounts and systems that are associated with these products. From there, defensive measures and counteractions efforts can be prioritized and proposed to supplement existing security and risk management policies.

 

 

Appendix

 

References

1MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. More information about MITRE ATT&CK® can be found at attack.mitre.org. All information about MITRE ATT&CK belongs to The MITRE Corporation subject to the following copyright: © 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK® is licensed under the Terms of Use located at https://attack.mitre.org/resources/terms-of-use/".

 

2Links charts and graphs in this report were created by Optiv gTIC leveraging the ThreatQuotient® Investigations platform.

 

ArsTechnica, ‘New Iranian wiper discovered in attacks on Middle Eastern companies’, 2019, https://arstechnica.com/information-technology/2019/12/new-iranian-wiper-discovered-in-attacks-on-middle-eastern-companies/

 

Chapman, Catherine, ‘Recorded Future reveals top 10 most exploited vulnerabilities in 2018’, 2019, https://portswigger.net/daily-swig/recorded-future-reveals-top-10-most-exploited-vulnerabilities-in-2018

 

Cisco Talos, ‘VPNFilter Update - VPNFilter exploits endpoints, targets new devices’, 2018, https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

 

Cofense, ‘Sharing Documents via SharePoint Is Always a Good Idea: Not always…’, 2021, https://cofense.com/blog/sharing-documents-sharepoint/

 

Eclypsium, ‘When Honey Bees Become Murder Hornets’, 2021, https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/

 

Fidelis Cybersecurity, ‘The Fidelis TRT Assesses Increased Malware Attacks Against QNAP NAS Devices’, 2020, https://fidelissecurity.com/threatgeek/threat-intelligence/fidelis-trt-assesses-increased-malware-attacks-against-qnap-nas-devices/

 

Fidelis Cybersecurity, ‘Fidelis Threat Intelligence Report – February/March 2021’, 2021, https://fidelissecurity.com/resource/report/fidelis-threat-intelligence-report-february-march-2021/

 

Lumen, ‘ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks’, 2022, https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/

 

Malwarebytes Labs, ‘The top 5 most routinely exploited vulnerabilities of 2021?’, 2022, https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/

 

Microsoft, ‘ZeroLogon is now detected by Microsoft Defender for Identity (CVE-2020-1472 exploitation)’, 2021, https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034

 

QRATOR, ‘Mēris botnet, climbing to the record’, 2021, https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/

 

Recorded Future, ‘The Top 10 Vulnerabilities Used by Cybercriminals in 2019’, 2020, https://go.recordedfuture.com/vulnerability-report-2019

 

TrendMicro, Cyclops Blink Sets Sights on Asus Routers’, 2022, https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html

 

US Cybersecurity & Infrastructure Security Agency, ‘Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities’, 2022, https://www.cisa.gov/uscert/ncas/alerts/aa22-117a

 

Analytical Comments, Statements, and Best Practices

Most Likely Course of Action (MLCOA) – the expected and probable tactics, techniques, and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.

 

Most Dangerous Course of Action (MDCOA) – tactics, techniques, or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.

 

Words of Estimated Probability – Optiv EIM Intelligence employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, Optiv EIM Intelligence leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:

 

Image
mitre_tactics_SZ_img7.png

 

Confidence statements, as defined by Optiv EIM Intelligence, apply to reliability and relevance of information reported and are as follows:

 

Confidence Level Optiv EIM Definition Factors Quantitative Relevance
High Confidence information and/or intelligence is assessed to be of high reliability and value to drive operations and decision Established history, repeated observations and patterns, strong precedence to form professional assessment and prediction/extrapolation 75%+
Moderate Confidence information and/or intelligence is reasonable and warrants consideration or action or response where applicable Sporadic observations, limited historical references (too recent or too long of a gap to be considered “established”) 45-65%(+/- 10%)
Low Confidence Information and/or intelligence is unreliable or less relevant and provided as situational awareness lack of established history or observations, unreliable or circumstantial evidence < 35%

 

Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.

 


i This information in this document is for general information purposes only. While Optiv endeavors to keep the information up to date and correct, Optiv makes no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to this document or the information, products, services, or related graphics contained in this document for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

Principal Intelligence Analyst/HUMINT Lead
Aamil Karimi is a Principal Intelligence Analyst and the Human Intelligence (HUMINT) lead for Optiv’s Global Threat Intelligence Center (gTIC). Aamil collects and analyzes information on threat actors/campaign trends and tactics. This provides situational awareness and advanced indications and warnings of attacks to internal and external consumers of Optiv’s threat intelligence.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.