Exploit Public-Facing Application

Adversaries may attempt to take advantage of a weakness or a vulnerability in an Internet-facing application to cause unintended or unanticipated behavior and execute arbitrary code on the hosting machine. The weakness in the system can be a bug, a glitch, or a design vulnerability.[1]

These applications are often websites, but can also include databases and standard services like SSH External Remote Services, network device administration and management protocols and any other applications with Internet accessible open sockets, such as web servers and related services. [1]

Procedure Examples

Name Description
APT39

APT39 has used SQL injection for initial compromise.[2]

APT41

APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[3]

Rocke

Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.[4][5]

UNC2452

UNC2452 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.[6]

Mitigations

Mitigation Description
Application Isolation and Sandboxing

Application isolation will limit what other processes and system features the exploited target can access.

Exploit Protection

Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.

Network Segmentation

Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.

Privileged Account Management

Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.

Update Software

Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.

Detection

Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.

References

Attachments

ID
VT0003
MITRE ID
Sub-techniques
No sub-techniques
Tactic
Initial Access
Platforms
AWS
Azure
GCP
Linux
Network
Windows
macOS
Data Sources
AWS CloudTrail logs
Application logs
Azure activity logs
Packet capture
Stackdriver logs
Web application firewall logs
Web logs
Version
2.2

Created: 01 December 2020

Last Modified: 20 December 2020