A quick review on Exploiting Public-Facing Application Tactics

Exploiting public-facing applications is a common tactic used by adversaries to gain unauthorized access to a system or network. Such applications can include websites, databases, network device administration and management protocols, and other applications with open sockets accessible over the Internet. Adversaries can take advantage of a weakness in the system, such as a bug, glitch, or design vulnerability, by using software, data, or commands to cause unintended or unanticipated behavior. In some cases, exploiting public-facing applications can lead to compromise of cloud-based infrastructure or containerized applications, providing the adversary with access to cloud or container APIs, weak identity and access management policies, and more.

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion.

Public-facing applications are often targeted by attackers as they are exposed to the internet and are accessible from anywhere in the world. When a vulnerability is discovered, attackers can exploit it to gain unauthorized access to the system, allowing them to steal sensitive data, plant malware, or carry out other malicious activities. The impact of such attacks can be significant, causing financial losses, reputational damage, and legal repercussions.

One of the most common ways adversaries exploit public-facing applications is by leveraging web-based vulnerabilities such as those highlighted in the OWASP top 10 and CWE top 25. These vulnerabilities can include SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), broken authentication and session management, and more.

In addition to web-based vulnerabilities, adversaries can also exploit weaknesses in specific applications or protocols. For example, the recent Microsoft Exchange Server attacks that occurred in early 2021 were the result of exploiting four zero-day vulnerabilities in the on-premises versions of Microsoft Exchange Server. Adversaries used these vulnerabilities to gain access to email accounts and install additional malware.

Another example of exploiting a specific application is the F5 BIG-IP vulnerability (CVE-2020–5902) that was exploited by the BackdoorDiplomacy group to drop a Linux backdoor. Similarly, the Dragonfly group has exploited vulnerabilities in Citrix (CVE-2019–19781 and CVE-2020–0688) and Fortinet VPNs (CVE-2018–13379) to gain unauthorized access.

Adversaries may also exploit public-facing applications to gain access to cloud-based infrastructure or containerized applications. When a vulnerability is discovered, adversaries can exploit it to compromise the underlying instance or container, allowing them to gain access to cloud or container APIs, escape to host, or take advantage of weak identity and access management policies.

To defend against attacks on public-facing applications, organizations must implement strong security measures, such as applying software updates and patches promptly, implementing secure coding practices, and regularly performing vulnerability scans and penetration tests. Organizations should also consider implementing web application firewalls (WAFs) and intrusion detection and prevention systems (IDPSs) to detect and block attacks.

In the end, exploiting public-facing applications is a common tactic used by adversaries to gain unauthorized access to systems and networks. Such attacks can be highly damaging, leading to financial losses, reputational damage, and legal repercussions. To defend against these attacks, organizations must implement strong security measures and regularly perform vulnerability scans and penetration tests. By doing so, they can significantly reduce the risk of a successful attack and protect their systems and data from compromise.