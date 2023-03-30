During this incident, the time between the security advisory and the exploitation of CVE-2023-0669 was less than 1 day making it one of the fastest adoption time frames by finically motivated attackers observed by X-Force since 2020. The X-Force Vulnerability and Exploit Database, which has been curating vulnerability and exploit data since 1993 shows that the number of zero days released is increasing year over year, but X-Force observes just a handful of zero days rapidly adopted by cyber criminals each year. It begs to question, “why are some zero days rapidly and widely adopted for criminal operations and others not?”. Based on the data from the X-Force database and incident response engagements, it appears that that not every zero day is created equal. While every zero day is important and organizations should still devote efforts to patching zero days once a patch is released, there are characteristics of certain zero days that make them more likely to be rapidly and widely adopted by cyber criminals.

The following CVEs were the most rapidly and widely adopted zero days by cyber criminals observed by X-Force since 2020:

CVE-2020-1472 (ZeroLogon)

CVE-2021-26855 (ProxyLogon)

CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (ProxyShell)

CVE-2021-34527 (PrintNightmare)

CVE-2022-26925 (PetitPotam)

CVE-2023-0669 (GoAnyWhere)

In 2021 X-Force released a blog detailing “How Ransomware Attacks Happen” and it turns out that the attack path detailed in that post has a direct relationship with zero day adoption by cyber criminals. Analyzing the most widely used zero days, what an attacker can achieve through exploitation, and the incidents in which they were used, indicates that the zero days that enable ransomware operators to quickly and easily obtain their goals and objectives are more likely to be used “in the wild”.

ZeroLogon — Allows an unauthenticated attacker with network access to a domain controller to exploit a NetLogon session and gain domain administrator privilege.

PrintNightmare — Is a vulnerability affecting the Windows Print Spooler service that enables an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM.

PetitPotam — Is a NTLM relay attack that allows a remote, unauthenticated attacker to take control of an Active Directory domain by triggering a domain controller to relay its credentials to a system controlled by the attacker. With the domain controller NTLM credentials, the attacker can relay them to Active Directory Certificate Services (AD CS) to obtain a DC certificate. The attacker can use the DC certificate request a TGT (Ticket Granting Ticket) and take control of the entire domain through Pass-The-Ticket attacks.

Because ZeroLogon, PrintNightmare, and PetitPotam allow an attacker to obtain privileged access to Active Directory without credential harvesting or lateral movement, it significantly simplifies the ransomware attack path and as such X-Force observed their use on multiple ransomware attacks.

ProxyShell and ProxyLogon are vulnerabilities that affect on-premises Microsoft Exchange that enable a remote attacker to elevate privileges and execute arbitrary commands on vulnerable servers. Microsoft Exchange is an attractive target for attackers because they host business email which can enable internal phishing as well as but also given the tight integration between Exchange and Active Directory, it can also be exploited to move laterally to other high-value systems or access privileged account credentials. According to Microsoft, “If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance.”

X-Force has observed ProxyShell and ProxyLogon leveraged in multiple ransomware attacks where the attacker was able to obtain domain administrator privileges, exfiltrate sensitive business data, and deploy ransomware directly from the Exchange servers.

Regarding GoAnyWhere, X-Force’s observations are that the servers that are exploited tend to be domain-joined Microsoft Windows system that enable the attacker to immediately obtain an opportunity to gain access to high-value systems within Active Directory.

A notable absentee from the widely adopted zero-day list was Log4J. While Log4J gained widespread media attention, X-Force did not respond to many serious finically motivated incidents where Log4J was exploited. It is possible that organizations did a heroic job of patching vulnerable systems, however, given the number of systems still vulnerable to CVE-2021-44228 it appears that cyber criminals have not adopted it as widely for another reason. One interesting data point that may explain why Log4J has not been observed in as many incident response engagements is that based on X-Force vulnerability data, the majority of vulnerable Log4J systems are running Linux. Pivoting from Linux to Microsoft Active Directory requires more knowledge, capabilities and falls outside of the normal ransomware attack lifecycle further indicating that the ransomware attack lifecycle is driving zero-day adoption for cyber criminals.