Understanding Mass Exploitation Attacks

If an organization has high value, you can bet that bad actors are contemplating how to exploit its IT weaknesses for financial gain. Ransomware attacks are the apex threat in this regard, rendering a victim’s data unusable, extorting them for a decryption key. Highly targeted organizations need to understand exactly where their risk lies and ensure that critical assets are exceptionally well protected. However, all organizations with IT infrastructure – even small ones – benefit from assessing their attack surface and mitigating vulnerabilities.

Mass Exploitation attacks are automated campaigns continuously scanning the public Internet looking for easy victims. These campaigns are carried out by bots, executing automated cyber attacks at scale. CloudFlare claims that only 7% of the Internet traffic is malicious bots, while other reports claim malicious bots account for as much as 32% of all Internet activity. Once breached, attackers misuse these compromised assets for malicious activities.

What Happens to Assets Compromised in Mass Exploitation Campaigns?

Once an attacker gains control of a victim’s IT infrastructure, they assess the value of their newly acquired spoils and determine how to best capitalize. The dark web is an underground ecosystem of cybercrime services with its own economy of supply and demand for illicit deeds. Within this ecosystem, Initial Access Brokers (IAB) sell unauthorized access to Ransomware as a Service (RaaS) groups who specialize in ransomware execution; encrypting a victim’s files and extorting them. Mass Exploitation is one way that these IABs gain a foothold.

Compromised assets with lower extortion value may become part of the IAB’s “zombie botnet”; co-opted to continuously scan the Internet for vulnerable systems to compromise. Otherwise, hijacked systems may be used to send malspam and phishing emails, infected with crypto-mining malware, or become an inconspicuous host for command-and-control (C2) infrastructure to support more targeted attack campaigns.

How Mass Exploitation Works

By exploring Mass Exploitation through the lens of the MITRE ATT&CK framework’s tactics, techniques and procedures (TTP) defenders can better understand attacker behavior. If you are not familiar with MITRE ATT&CK, now is a good time to review the MITRE ATT&CK Enterprise Matrix, since it will serve as a reference point for how attackers operate.

Mass exploitation targets large numbers of systems with sophisticated tools that can scan many IP addresses and automatically execute cyber attacks when vulnerabilities are found. These attacks aim to exploit vulnerabilities in software that is commonly exposed to the public Internet, especially software used to host websites and access webservers remotely.

Here’s how Mass Exploitation works:

• Reconnaissance [TA0043]: Attackers collect sources of vulnerability information such as NIST NVD where CVEs are published with severity scores and reports that include technical details. Attackers also discover sources of exploit code such as exploit-db, GitHub, or other sources such as dark web marketplaces. Alternatively, attackers may develop their own malicious exploits.
• Weaponization [TA0042]: Attackers build cyber weapons designed to automatically identify and exploit vulnerabilities [T1190] without the need for human interaction.
• Active Scanning [T1595]: Attackers conduct active scans of the public Internet at scale to discover listening services and their versions [T1595.002]. This process is similar to how cyber defenders conduct vulnerability scans of their own infrastructure, except instead of fixing identified vulnerabilities, attackers plan strategies to exploit them.
• Attack Deployment and Exploitation: Once an active vulnerability has been found, automated tools attempt to exploit them to control the victim’s system remotely [TA0011] or cause Denial of Service (DoS) [T1499]. A variety of software weaknesses may be involved such as: exploiting default account credentials [CWE-1392], SQL injection [CWE-89], buffer overflows [CWE-119], unauthorized file uploads [CWE-434] or otherwise broken access controls [CWE-284].
• Assessment and Action on Objectives [TA0040]: Post-compromised, the attacker decides how to best impact the victim for their own gain. Attackers may decide to conduct further reconnaissance, attempting to move laterally to other connected systems in the network [TA0008], steal data from the victim [TA0010], deploy ransomware [T1486] or sell the initial access to other cyber criminals with specialized skills [T1650].

How to Defend Against Mass Exploitation

Defending against Mass Exploitation attacks requires a proactive approach that addresses potential vulnerabilities before they can be exploited. Organizations should adopt fundamental IT security best practices including regular assessments, continuous monitoring, and timely remediation of identified weaknesses.

Here are some key security measures to defend against Mass Exploitation:

• Build an IT asset inventory: Building a comprehensive inventory of all hardware, software, and network devices within your organization ensures no systems are overlooked during risk and vulnerability assessments and patch management.
• Conduct a risk assessment: Prioritize assets based on their importance to business operations and determine how preventative efforts should be focused. Regular risk assessments help ensure that the most critical threats are addressed, reducing the chances of a high impact breach.
• Scan all assets regularly and fix identified vulnerabilities: Perform regular vulnerability scans on all IT assets, especially those exposed to the public internet and with a high risk context. Promptly apply patches or alternative mitigation measures to prevent exploitation. Track and measure vulnerability management progress in a quantified way.
• Remove unused services and applications: Unused software presents additional attack surface, which may offer attackers an opportunity to exploit vulnerabilities. By minimizing the number of active services and installed applications, potential entry points for attackers are limited.
• Education and training: Education is important to promote IT security awareness within an organization’s culture. Awareness training also goes a long way towards preventing malspam and phishing attacks from impacting an organization.
• Employ Anti-Malware solutions: Malware is often distributed through automated malspam and phishing campaigns at scale. Ensure all systems have up-to-date anti-virus software and implement spam filtering to detect and quarantine malicious files.
• Enforce strong authentication policies: Credential stuffing attacks are often automated components of Mass Exploitation campaigns. By following password best practices, such as using strong randomly generated passwords and not reusing passwords between accounts there is less risk posed by stolen passwords. Implementing password rotation policies, multi-factor authentication (MFA), and using password managers also strengthen password security.
• Use firewalls and IPS: Firewalls and Intrusion Prevention Systems (IPS) can block malicious traffic by using rules or patterns. Configure rulesets as strictly as possible to block unnecessary inbound traffic from scanning sensitive services. Regularly review and update firewall and IPS configurations to account for current threats.

Summary

Mass Exploitation refers to automated cyber attack campaigns that use bots to scan the public Internet for vulnerable systems. These attacks target a wide range of victims, exploiting known vulnerabilities in software that is commonly exposed to the internet. Once compromised, attackers use the breached systems for various malicious purposes, including launching ransomware attacks, selling access to other criminal groups or further extending botnets. Mass exploitation is a major threat as it allows attackers to operate at scale with minimal effort.

To defend against Mass Exploitation, organizations must implement proactive security measures such as regular vulnerability scanning, timely patch management, strong access controls and network monitoring. Additionally, ensuring that staff have adequate security training can help reduce the risk of becoming a victim of Mass Exploitation campaigns.