Hello! I’m Nick Hyatt, Director of Threat Intelligence at Blackpoint Cyber. In this month’s Threat Digest, we’re going to look at the MITRE ATT&CK Initial Access tactic – specifically, we’re going to look at T1190, also known as Exploit Public-Facing Application. What is it, how is it used, and what are real-world threat actors doing to take advantage of this technique?

Created in 2013, the MITRE Adversary Tactics, Techniques, and Common Knowledge (also known as ATT&CK) framework is an alternative to Lockheed Martin’s Cyber Kill-chain framework. It’s designed around detecting tradecraft – the ways you can spot an attacker ‘s behavior during an incident. There are 14 categories overall, but today we’re focusing on Initial Access.

Initial Access is, put simply, an attacker trying to get into your network. While there are 10 techniques that further make up the Initial Access category, today we are discussing T1190 – a technique known as Exploit Public-Facing Application. This technique is all about an attacker exploiting a weakness in an internet-facing host or application. You can see where this is going, right? A weakness doesn’t necessarily have to be a vulnerability – it can also be a configuration issue, or even just a bug. Today, though, we’re going to look at a real-world instance of threat actors using this technique in attacks.

Our example looks at exploitation of the FortiClient EMS vulnerability, CVE-2023-48788. FortiClient EMS is a management solution for systems running tools in the FortiClient ecosystem. CVE-2023-48788 is a vulnerability that allows attackers to run commands and code with system-level access. In this instance, the Blackpoint SOC alerted to suspicious usage of finger.exe on a server. After further analysis, our SOC defenders identified the likely use of the CVE-2023-48788 vulnerability, as well as the threat actor attempting to deploy additional malware tools via connections to a command and control server in Africa. We isolated the system and prevented further infection or lateral movement.

This is a great example of T1190 – the threat actor exploited an internet-facing host (this being the server with the vulnerable application) to further establish persistence and then spread laterally within the network.

CVE-2023-48788 is just one of several vulnerabilities in 2024 that threat actors exploited in the wild demonstrating usage of T1190. There are also the ongoing Ivanti vulnerabilities in Connect Secure and Policy Secure, and the recently announced (and exploited) CVE-2024-4800 in Palo Alto GlobalProtect.

Adversaries are always looking for advantages over defenders and the time to exploitation for newly announced vulnerabilities is constantly dropping. Fortunately, by using behavior-based detection built around tactics like Initial Access, rather than relying on indicators of compromise, there are more opportunities to detect and stop attackers.

Until next month, be safe and do good work.

Written and Recorded By:

Nick Hyatt, Director of Threat Intelligence 

Nick Hyatt has extensive expertise in technology, support, and information security, with experience spanning small businesses to Fortune 500 companies across various industries. He has a deep understanding and practical experience in incident response, threat intelligence, digital forensics, and malware analysis. His hands-on skills encompass malware forensics, data mapping, threat hunting, and e-discovery in diverse environments.

Connect with Nick on LinkedIn.

The Blackpoint Brief

The Blackpoint Brief is our monthly e-newsletter that covers the latest APG research, SOC saves, sales resources, webinars, and in-person events. Stay up to date so that you can best protect your clients.