Ransomware Spotlight Report 2023 is live!

Why Are Some Ransomware Vulnerabilities More Dangerous than Others?

Posted on Mar 2, 2023 | By Surojoy Gupta

What are the MITRE Kill Chain Vulnerabilities?

A MITRE kill chain is a model where each stage of a cyberattack can be defined, described, and tracked, visualizing each move made by the attacker. Using this framework, security teams can stop an attack and design stronger security processes to protect their assets.

This framework also has detailed procedures for each technique and catalogs the tools, protocols, and malware strains used in real-world attacks. Consequently, security researchers use these frameworks to understand attack patterns and focus on detecting exposures, evaluating current defenses, and tracking attacker groups.

Securin’s ransomware research, elucidated further in the Ransomware Spotlight Report 2023, has discovered 57 extremely dangerous vulnerabilities associated with ransomware which can be exploited as a complete MITRE ATT&CK Kill chain, from initial access to exfiltration. 

A total of 81 unique products across 20 major vendors, such as Microsoft, SonicWall, Apache, Atlassian, VMware, F5 and Oracle, were identified by Securin experts.


ATT&CK Kill Chain Vulnerabilities 

Our analysis of the 57 dangerous vulnerabilities produced the following findings:

  • 49 of the 57 vulnerabilities already feature in the DHS CISA KEV catalog. 

  • 32 vulnerabilities are rated critical as per their CVSS v3 scores, while 20 are rated high, and 5 have no ratings available.

  • Securin’s Vulnerability Intelligence platform assigned 34 of 57 vulnerabilities a predictive score of 38.46, a critical severity rating, while 23 were assigned high severity scores, providing an insight into the likelihood of the vulnerabilities being exploited in the wild.

  • 33 vulnerabilities are categorized as remote code execution (RCE), 16 vulnerabilities are categorized as privilege escalation (PE), 5 CVEs are classified as DOS, 24 vulnerabilities are WEBAPP, and 34 CVEs have both RCE and PE. 

  • CVEs with Highest Ransomware Associations include: 

    • CVE-2016-0034 has the highest number of ransomware associations with 43,

    • Closely followed by CVE-2012-1723 at 42

    • CVE-2021-34473 and CVE-2021-34523 are tied at 11 each, 

    • CVE-2020-1472 has 9 associations.

 

Securin Recommends DHS CISA to Add 8 Kill Chain Vulnerabilities to the KEV Catalog

 

Eight of the 57 MITRE Kill Chain vulnerabilities are not in the CISA KEV catalog. Our Securin experts recommend CISA to add the following to the KEVs:

  • CVE-2016-10401 - A vulnerability affecting Zyxel home routers

CVE-2016-10401 - Zyxel

CVSS v2 - 9.00     |      CVSS v3 - 8.80    |      Securin VRS - 8.48

 

  • CVE-2017-6884 - A command injection vulnerability affecting Zyxel home routers

CVE-2017-6884 - A command injection vulnerability affecting Zyxel home routers

CVSS v2 - 9.00    |     CVSS v3 - 8.80     |     Securin VRS - 9.39

 

  • CVE-2018-8389 - A Scripting Engine Memory Corruption Vulnerability affecting Internet Explorer

CVE-2018-8389 - A scxxxripting Engine Memory Corruption Vulnerability affecting Internet Explorer

CVSS v2 - 7.60     |      CVSS v3 - 7.50      |       Securin VRS - 7.76
 

  • CVE-2019-2729 - Vulnerability in the Oracle WebLogic Server component

CVE-2019-2729 - Vulnerability in the Oracle WebLogic Server component

CVSS v2 - 7.50       |       CVSS v3 - 9.80      |       Securin VRS - 9.98
 

  • CVE-2020-1210 - An RCE vulnerability in Microsoft SharePoint 

CVE-2020-1210 - An RCE vulnerability in Microsoft SharePoint 

CVSS v2 - 6.50     |     CVSS v3 - 8.80     |      Securin VRS - 8.47
 

  • CVE-2020-16875 - An RCE vulnerability in Microsoft Exchange server

CVE-2020-16875 - An RCE vulnerability in Microsoft Exchange server

CVSS v2 - 9.00     |      CVSS v3 - 7.20     |     Securin VRS - 9.08
 

  • CVE-2020-36195 -  SQL injection vulnerability affecting QNAP NAS devices 

CVE-2020-36195 -  SQL injection vulnerability affecting QNAP NAS devices 

CVSS v2 - 7.50      |      CVSS v3 - 9.80     |      Securin VRS - 8.79
 

  • CVE-2021-31206 - Microsoft Exchange Server RCE vulnerability

CVE-2021-31206 - Microsoft Exchange Server RCE vulnerability

CVSS v2 - 7.90      |      CVSS v3 - 8.00     |     Securin VRS - 8.36

 

Auld Lang Syne: Ghosts of the Past

Securin analysts identified 25 vulnerabilities that are old, dating from between 2012 and 2019. The oldest CVEs belong to Oracle. CVE-2012-1710, CVE-2012-1723 and CVE-2012-4681 affect multiple products apart from Oracle. CVE-2012-1723 and CVE-2012-4681 both have CVSS v3 scores of 10.0.

While all 25 have multiple ransomware associated with them, CVE-2016-0034 (Microsoft) takes the cake with a whopping 43 ransomware associations, followed closely by CVE-2012-1723 with 42. 

Of the 25 old vulnerabilities, 17 CVEs are categorized as RCE and RCE/PE respectively, eight are privilege escalation vulnerabilities, two are categorized as DOS, and 12 as Webapp. 

The majority of the old vulnerabilities affect two specific vendors – eight CVEs plague 70 unique Oracle products, while seven CVEs affect 51 unique Microsoft products. 

 

Top 5 Kill Chain CVEs with Highest Number of Products Affected

CVE ID

CVE Description

Number of Products Affected

CVE-2021-44228

Apache Log4J 

379

CVE-2021-40539

Zoho ManageEngine ADSelfService Plus

170

CVE-2019-11539

Pulse Secure Pulse Connect Secure 

97

CVE-2020-5902

BIG IP RCE 

84

CVE-2020-36195

QNAP SQL Injection 

57

 

Top 5 Products Affected by the Kill Chain Vulnerabilities

 

Vendor Name

Number of Products Affected

Worst Affected Product(s)

Microsoft

23

Microsoft Exchange Server

Oracle

16

JRE, JDK and WebLogic Servers

F5

14

-

Apache

3

Log4J, Struts

Atlassian

3

Confluence Server


 

Top 5 CWEs of the Kill Chain Vulnerabilities

Securin experts analyzed the weakness category of the vulnerabilities and found five CWEs that are ranked among the top 10 in MITRE’s top 40 dangerous weaknesses (2022).

 

Top 10 MITRE CWEs (and Count of Vulnerabilities)
with CVEs having a complete Kill Chain

CWE-20

 

11

CWE-22

 

7

CWE-787

 

4

CWE-89

 

4

CWE-78

 

4

 

CWE-20, an improper input validation vulnerability, has the maximum number of CVEs categorized within it. CWE-22, an Improper Limitation of a Pathname to a Restricted Directory or 'Path Traversal' vulnerability, has the second highest number of CVEs. The other noteworthy weaknesses, CWE-787, CWE-89 and CWE-78, are rated 1st, 3rd and 6th in the list of MITRE’s Most Dangerous Software Weaknesses. 

 

Scanner Detection Gone Awry

Three kill chain vulnerabilities are especially dangerous, thanks to their evasive nature from the roving eyes of common scanners like Qualys, Nessus and Nexpose. Let us take a deeper dive into these vulnerabilities:

  • CVE-2017-18362 - ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. The Securin Vulnerability Intelligence platform assigned it a score of 38.46, deeming it extremely critical since June 2019. Though the vulnerability was exploited as far back as November 2019 by GandCrab ransomware group, DHS CISA added the CVE to the KEV catalog in May 2022. Securin experts had called out the vulnerability and its inclusion in the KEV catalog in our Ransomware Spotlight Report Q3.  

CVE-2017-18362 - ConnectWise ManagedITSync integration RCE vulnerability

CVSS v2 - 7.50      |      CVSS v3 - 9.80      |      Securin VRS - 8.80

CVE-2017-18362 was initially assigned a CVSS v2 score of just 7.50, later to be revised to a critical score of 9.80 (CVSS v3). The Securin VRS definitive score of 8.80 is due to the reduced frequency of attacks exploiting the vulnerability. However, it is important to note that the vulnerability is not detectable by popular scanners, making it difficult for security teams to patch.

 

  • CVE-2017-6884 - A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability was assigned a critical score of 38.46 by Securin’s VI platform in May 2020. Despite being six years old, being associated with Ryuk ransomware, being invisible to popular scanners and having a critical severity, the DHS CISA is still yet to add the vulnerability to the KEV catalog. 

CVE-2017-6884: Zyxel EMG2926 home router

CVSS v2 - 9.00     |      CVSS v3 - 8.80      |      Securin VRS - 9.39

CVE-2017-6884 received a critical CVSS v2 score of 9.00, only to be downgraded to a CVSS v3 score of 8.80, in spite of its dangerousness. Thus, the Securin VRS reaffirms the criticality of the issue with a score of 9.39.

 

  • CVE-2020-36195 - An SQL injection vulnerability reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. The vulnerability was assigned a critical score of 38.46 by Securin’s VI platform in July 2021. Despite being three years old, having been associated with QLocker ransomware and eCh0raix ransomware, being undetectable to popular scanners, having a critical severity, and being actively trending, the DHS CISA is still yet to add the vulnerability to the KEV catalog. 

 

CVE-2020-36195: QNAP NAS SQL injection vulnerability

CVSS v2 - 7.50    |     CVSS v3 - 9.80    |     Securin VRS - 8.79

CVE-2020-36195 received a high severity CVSS v2 score of 7.50, only to be upgraded to a CVSS v3 score of 9.80. In spite of the danger it poses, Securin VRS assigns it a high score of 8.79 owing to the reduced chatter on hacker forums, thereby reducing its likelihood of being attacked.

 

In our Ransomware Report Q2-Q3, Securin analysts noted and warned about a flawed open source code used in Oracle products. Since the DHS CISA KEV catalog does not feature the trending critical vulnerability, CVE-2019-2729, Securin experts emphasized how important it is to add to the catalog. Oracle, on the other hand, used the same code in newer products in spite of the warning, as a result of which, eight new products reflect the same ransomware kill chain vulnerability. 

Securin experts have been constantly analyzing vulnerabilities associated with ransomware and mapping each CVE to their corresponding MITRE ATT&CK framework to continuously develop a better understanding into how a threat actor thinks, how they behave, and what attack patterns they deploy. Keeping abreast of the kill chain vulnerabilities by ensuring they are aware of their organization’s complete attack surface. 

 

Securin’s Attack Surface Management platform provides organizations with a hacker’s view of their attack surface, enabling them to see exposures, misconfigurations, shadow IT, and vulnerable products that have ransomware vulnerabilities. Securin ASM helps companies gain visibility into their true attack surface, helping them to improve their security posture through actionable insights by leveraging our excellent threat hunting expertise, and by expediting remediation before being attacked.

 

Click here to learn more about Securin’s ASM platform.


 

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito