# T1190 Exploit Public-Facing Application

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). 

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)

## Technique Detection

Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.

-----------------------------------------------------------------------

### Tactics:

  *   Initial-Access

### Platforms:

  * Windows

  * IaaS

  * Network

  * Linux

  * macOS

  * Containers

### Data Sources:

  * **Network Traffic:** Network Traffic Content

  * **Application Log:** Application Log Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has also exploited mis-configured Plesk servers.(Citation: ESET BackdoorDiplomacy Jun 2021)| 
| HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065  to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: FireEye Exchange Zero Days March 2021)| 
| Volatile Cedar | [Volatile Cedar](https://attack.mitre.org/groups/G0123) has targeted publicly facing web servers, with both automatic and manual vulnerability discovery.(Citation: CheckPoint Volatile Cedar March 2015) (Citation: ClearSky Lebanese Cedar Jan 2021) | 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.(Citation: Volexity SolarWinds)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.(Citation: ClearkSky Fox Kitten February 2020)(Citation: Dragos PARISITE )(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has gained initial access via vulnerable webservers.(Citation: FoxIT Wocao December 2019)| 
| GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has exploited Oracle WebLogic vulnerabilities for initial compromise.(Citation: Secureworks REvil September 2019)| 
| Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX.(Citation: RedCanary Mockingbird May 2020)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)| 
| BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.(Citation: TrendMicro BlackTech June 2017)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.(Citation: FireEye APT41 March 2020)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.(Citation: KISA Operation Muzabi)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used SQL injection for initial compromise.(Citation: Symantec Chafer February 2018)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used open-source JNDI exploit kits to leverage the Log4j (CVE-2021-44228) vulnerability.(Citation: Check Point APT35 CharmPower January 2022)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions.(Citation: Securelist APT10 March 2021)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs.(Citation: CISA AA20-296A Berserk Bear December 2020)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server.(Citation: Trend Micro Iron Tiger April 2021)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access. They have also exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.(Citation: NCSC APT29 July 2020)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)| 
| Night Dragon | [Night Dragon](https://attack.mitre.org/groups/G0014) has performed SQL injection attacks of extranet web servers to gain access.(Citation: McAfee Night Dragon)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.(Citation: US District Court Indictment GRU Oct 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers.(Citation: Microsoft NICKEL December 2021)| 
| Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has been observed using SQL injection to gain access to systems.(Citation: Novetta-Axiom)(Citation: Cisco Group 72)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1190)

  * [Cwe Top 25](https://cwe.mitre.org/top25/index.html), Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019.

  * [Cis Multiple Smb Vulnerabilities](https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/), CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.

  * [Nvd Cve-2016-6662](https://nvd.nist.gov/vuln/detail/CVE-2016-6662), National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018.

  * [Nvd Cve-2014-7169](https://nvd.nist.gov/vuln/detail/CVE-2014-7169), National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.

  * [Cisco Blog Legacy Device Attacks](https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954), Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.

  * [Owasp Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.

  * [Us-Cert Ta18-106A Network Infrastructure Devices 2018](https://us-cert.cisa.gov/ncas/alerts/TA18-106A), US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 16 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Emily Porras, CTR Servando Quinones

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will exploit Common Vulnerabilities and Exposures, or vulnerable applications with internet accessible open sockets.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT29 | X | 2 |
| APT28 |   | 1 |

#### APT28
- has conducted SQL injection attacks against organizations' external websites.

#### APT29	
- has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.

## Detection Blindspots

- Need access to application logs
- Traffic being analyzed may be encrypted 
- Sensor placement may not allow for detection of this TTP


## Analytical References

  * [APT29 Targets COVID-19 Vaccine Development](https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf)
  * [Dark Halo](https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/)



-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation.
- Web Application Firewalls may detect improper inputs attempting exploitation.


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access. They have also exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.
- Analyze for evidence of vulnerability scanning from either external to internal or internal to internal when the user shouldn't be performing such tasks
- Look for evidence of pivoting from one account to another usually from an account with less privileges to one with more priviledges
- APT28 has conducted SQL injection attacks against organizations' external websites.



#### Analytic 1

  * **Information:** Review network traffic for possible use of common SQL commands that maybe see across the network, specifically for hosted web application.

  * **Source:** PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** Identify possible exploitation of common services such as SQL that may be using standard sql commands, (SELECT, FROM, WHERE ORDER BY, etc). Modify commands as needed.

  * **Query Arkime:** ```http.method == [GET, POST] && http.statuscode == 200 && http.uri == [*SELECT*, *FROM*, *WHERE*, *ORDER*]```
  * **Query Kibana:** ```http.method: (GET OR POST) AND http.statuscode: 200 && http.uri: (*SELECT* OR *FROM* OR *WHERE* OR *ORDER*)```

#### Analytic 2

  * **Information:** Review network traffic for possible exploitation of Exchange server (i.e, Web mail) 
  
  * **Source:** PCAP, sessions*
  
  * **Tool:** Arkime, Kibana
  
  * **Notes:** Identify potential exploitation of common services such as Webmail. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail. The adversary has used this techinque in the past to access and download users mailboxes for exfil later
  
  * **Query Arkime:** `http.method == POST && http.statuscode == 200 && ip.src != [10/8, 192.168/16, 172.16/12] && ip.dst == [list of Exchange servers hosting Webmail]`

  * **Query Kibana:** `http.method: POST AND http.statuscode: 200 AND dstIp : (list of Exchange servers hosting Webmail)`

#### Analytic 3

  * **Information:** Identify possible directory traversal attack by analyzing URIs.
  
  * **Source:** PCAP, sessions*
  
  * **Tool:** Arkime, Kibana
  
  * **Notes:** A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).

**Scanners may perform similar functions legitimately**
  
  * **Query Arkime:** `http.uri == */etc* && http.statuscode == 200`
  * **Query Kibana:** `http.uri : */etc* AND http.statuscode : 200`