Once vulnerabilities are identified, they are posted on Common Vulnerabilities and Exposures (CVE).
How do exploits work?
Exploits take advantage of a security flaw in an operating system, piece of software, computer system, Internet of Things (IoT) device or other security vulnerability.
Once an exploit has been used, it often becomes known to the software developers of the vulnerable system or software, and is often fixed through a patch and becomes unusable.
This is why many cybercriminals, as well as military or government agencies do not publish exploits to CVE but choose to keep them private.
When this happens, the vulnerability is known as a zero-day vulnerability or zero-day exploit.
One famous example of a government agency (the NSA) choosing to keep a software vulnerability private is EternalBlue.
EternalBlue exploited legacy versions of the Microsoft Windows operating system that used an outdated version of the Server Message Block (SMB) protocol.
Cybercriminals developed the WannaCry ransomware worm that exploited EternalBlue and it spread to an estimated 200,000+ computers across 150 countries with damages ranging from hundreds of millions to billions of dollars before EternalBlue was patched.
Despite software developers issuing a patch to fix EternalBlue, this known vulnerability continues to be a large cybersecurity risk because of poor user adoption of the patch.
What are the different types of exploits?
Exploits can be classified into five broad categories:
- Hardware: Poor encryption, lack of configuration management or firmware vulnerability.
- Software: Memory safety violations (buffer overflows, over-reads, dangling pointers), input validation errors (code injection, cross-site scripting (XSS), directory traversal, email injection, format string attacks, HTTP header injection, HTTP response splitting, SQL injection), privilege-confusion bugs (clickjacking, cross-site request forgery, FTP bounce attack), race conditions (symlink races, time-of-check-to-time-of-use bugs), side channel attacks, timing attacks and user interface failures (blaming the victim, race conditions, warning fatigue).
- Network: Unencrypted communication lines, man-in-the-middle attacks, domain hijacking, typosquatting, poor network security, lack of authentication or default passwords.
- Personnel: Poor recruiting policy and process, lack of security awareness training, poor adherence to information security policy, poor password management or falling for common social engineering attacks like phishing, spear phishing, pretexting, honey trapping, smishing, waterholing or whaling.
- Physical site: Poor physical security, tailgating and lack of keycard access control.
In each of these categories, we can split vulnerabilities into two groups: known vulnerabilities and zero-day exploits:
- Known vulnerabilities: Exploits security researchers know about and have documented. Exploits that target known vulnerabilities are often already patched but still remain a viable threat because of slow patching.
- Zero-day exploits: Vulnerabilities that have not been reported to the public or listed on CVE. This means cybercriminals have found the exploit before developers have been able to issue a patch, in some cases the developer may not even know of the vulnerability.
How do exploits occur?
There are several ways exploits occur:
- Remote exploits: Works over a network and exploits the vulnerability without prior access to the vulnerable system.
- Local exploits: Requires prior access to the vulnerable system and increases the privilege of the attacker past those granted by the security administrator.
- Client exploits: Exploits against client applications exist and usually consist of modified servers that send an exploit when accessed with a client application. They may also require interaction from the user and rely on social engineering techniques like phishing or spear phishing to spread or adware.
In general, exploits are designed to damage the confidentiality, integrity or availability (CIA triad) of software or a system.
For example, an attacker could damage the confidentiality of a computer by installing malware on the computer, the integrity of a web page by injecting malicious code into the web browser, or availability by performing a distributed denial of service (DDoS) attack powered by a botnet of trojans.
What is an exploit kit?
An exploit kit is a program that attackers can use to launch exploits against known vulnerabilities in commonly installed software such as Adobe Flash, Java and Microsoft Silverlight.
A typical exploit kit provides a management console, vulnerabilities targeted at different applications and several plug-ins that make it easier to launch a cyber attack.
Due to their automate nature, exploits kits are a popular method of spreading different types of malware and generating profit. Creators of exploits kits may offer their exploit kit as a service or as one-off purchase.
How can I mitigate the risk of exploits?
Your organization can mitigate the risk of exploits by installing all software patches as soon as they are released, providing cyber security awareness and OPSEC training and investing in security software like an antivirus, automated leaked credential discovery and data exposure detection.
It also pays to understand cloud security, as S3 security is flawed by design.
Your vendors who process sensitive data (e.g. protected health information (PHI), personally identifiable information (PII) or biometric data) can be the targets of corporate espionage or cyber attacks if they have worse cyber security than your organization.
Vendor risk management is an increasingly important part of information risk management, invest in developing a robust third-party risk management framework, vendor management policy and cyber security risk assessment process.
Ask current and potential vendors for their SOC 2 assurance report and avoid vendors who don't meet your security standards.
Third-party risk and fourth-party risk are at the heart of many data breaches and data leaks. With the cost of data breach involving third-parties reaching an average of $4.29 million it pays to prevent data breaches.
If your security team is small, consider automating vendor risk management.
In short, focus on preventing exploits rather than cleaning them up. Even if you recognize you have been attacked, IP attribution and digital forensics won't always be able to provide you with answers.
What are examples of exploits?
In 2016, Yahoo announced that over 1 billion user accounts had been leaked, making it one of the biggest data breaches ever. Attackers were able to gain access because Yahoo was using a weak and outdated hashing algorithm called MD5.
Another famous example is the WannaCry ransomware cryptoworm which exploited the EternalBlue vulnerability. EternalBlue was stolen and leaked by a group called The Shadow Brokers a few months prior to the attack.
While EternalBlue was quickly patched, much of WannaCry's success was due to organizations not patching or using older Windows systems.
How UpGuard can protect your organization from exploits
Don't wait for a cyber attack to cripple your business, CLICK HERE for a FREE UpGuard trial now!