A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Breadcrumb Home Insights Source Zero gTIC Prioritized List + MITRE Tactics November 29, 2023 gTIC Prioritized List + MITRE Tactics Over the past 24 months, Optiv's® Global Threat Intelligence Center (gTIC) observed, collected, and analyzed multiple data points and information derived from Optiv's own Enterprise Incident Management (EIM) team's engagements as well as external industry reporting pertaining to cyber incidents and intrusions. Our risk-based and proactive approach to cyber threat intelligence (CTI) yielded a list of the most commonly targeted and exploited software and services that organizations should prioritize in terms of patch management, hardening, asset inventory, and visibility. These products and services are known to be targeted by all types of cyber adversaries including hacktivists, cyber-criminals, and state-sponsored entities. These are products and services that are currently, and forecasted with High Confidence to be, targeted and exploited by adversaries. In addition to the list, Optiv's gTIC also took the additional step of correlating each of these to the MITRE ATT&CK®1 Tactics that enable further Techniques and procedures for adversaries to carry out their attacks. The intent of mapping to the overall Tactics is to highlight the importance of our prioritized software and services list and the analysis that went into curating this list. Techniques, Sub-Techniques, and the multitude of tools and procedures associated with the general Tactics are not listed here, as they become too numerous with too many variables and unknowns. Attribution and correlation to specific named groups is also less relevant at this level of analysis and risk management. This report serves as a high-level introduction to a series of posts in which Optiv’s gTIC go into more detail of adversaries, campaigns, malware, and specific tools and Techniques (mapped to the ATT&CK framework) associated with attacks or compromises leveraging each of the types of software and services from the list below. Below is Optiv gTIC's Prioritized Software and Services List, along with the ATT&CK Tactics that can be achieved as a result of targeting and successful exploitation. Tactics are annotated with their corresponding TA* identifier throughout this report. It is important to note the list is not all inclusive but gives organizations and entities a solid starting point of the potential risks posed to their environments based off their asset lists and products as well as a starting point for defensive and countermeasure prioritization.i Please also see other blog posts in this series that include focus lists on Apache, Oracle WebLogic, Microsoft, and VMware prioritized software and services. Critical Enterprise Software Products and software that fall under this category are considered essential to business processes and continuity. The products enable internal and external communication; web and application servers; and file and data hosting, management, storage, and sharing. Adversaries target these types of software and products for various actions including accessing and exfiltrating data, gaining initial entry through phishing and malware disguised as legitimate files, installing backdoors and webshells, enumerating user credentials and privileges, and mapping out other parts of the network. Apache®Frameworks (e.g., Struts, Tomcat, HTTP Server, Kafka – see our Apache blog for more info) TA0042 - Resource Development TA0001 - Initial Access TA0002 - Execution TA0003 - Persistence TA0004 - Privilege Escalation TA0007 - Discovery TA0008 - Lateral Movement TA0009 - Collection TA0010 - Exfiltration TA0011 - Command and Control TA0040 - Impact Image Figure 1: Apache Framework Risks Mapped to MITRE Tactics2 Oracle® WebLogic (see our WebLogic blog for more info) TA0042 - Resource Development TA0001 - Initial Access TA0002 - Execution TA0003 - Persistence TA0009 - Collection TA0011 - Command and Control TA0040 - Impact Microsoft® Exchange (see our Microsoft blog for more info) TA0001 - Initial Access TA0002 - Execution TA0003 - Persistence TA0004 - Privilege Escalation TA0010 - Exfiltration TA0040 - Impact Microsoft® SharePoint TA0001 - Initial Access TA0003 - Persistence TA0004 - Privilege Escalation TA0009 - Collection TA0010 - Exfiltration TA0040 - Impact Microsoft® Office/O365 TA0001 - Initial Access TA0002 – Execution TA0005 - Defense Evasion TA0009 - Collection Microsoft® SQL Server TA0001 - Initial Access TA0003 - Persistence TA0006 - Credential Access TA0007 - Discovery TA0009 - Collection TA0040 - Impact VMWare® Products (e.g., vCenter, vSphere, Horizon, ESXi, Workspace ONE – see our VMware blog for more info) TA0042 - Resource Development TA0001 - Initial Access TA0002 - Execution TA0004 - Privilege Escalation TA0005 - Defense Evasion TA0006 - Credential Access TA0007 - Discovery TA0008 - Lateral Movement TA0009 - Collection TA0040 - Impact LifeRay® Portal TA0001 - Initial Access TA0007 - Discovery TA0008 - Lateral Movement Adobe® (e.g., Flash, Reader) TA0002 - Execution Content Management System Sites WordPress® Joomla!® Drupal® LifeRay® Magento® WooCommerce® vBulletin® Content Management System (CMS) platforms allow organizations and entities to publish content as well as manage e-commerce through their websites. CMS pages are Very Likely to be exploited through vulnerabilities in plug-ins and applications that are installed to add or enhance features and functionality of CMS pages. A compromise of a CMS page can allow adversaries to upload malicious scripts or malware onto the page to infect visitors in drive-by or watering-hole attacks; manipulate, steal, or delete content; or obtain web administrator credentials. TA0042 - Resource Development TA0001 - Initial Access TA0002 - Execution TA0004 - Privilege Escalation TA0006 - Credential Access TA0009 - Collection TA0010 - Exfiltration TA0011 - Command and Control Image Figure 2: CMS Platform Risks Mapped to MITRE Tactics Software Development, Documentation, Code/Project Repositories Jenkins® Docker® Atlassian® (Confluence, Jira, others) Codecov® Oracle® Java Platform/Java SE Products under this category provide developers an environment and infrastructure to create, maintain, and produce proprietary code and software related to enterprise applications, projects, and products that are used internally or part of their business portfolio. Given the type of information stored, these are highly sensitive environments, and successful compromise can allow an attacker access to sensitive data; discover user credentials and other sensitive directories; manipulate, destroy, or compromise existing code and projects which can be distributed as a supply-chain attack. TA0001 - Initial Access TA0002 - Execution TA0006 - Credential Access TA0007 - Discovery TA0008 - Lateral Movement TA0009 - Collection TA0040 - Impact VPN and Proxy Clients Pulse Secure®/Ivanti® Pulse Connect Secure Citrix® ADC/Gateway Fortinet® FortiGate Palo Alto® GlobalProtect Sangfor® VPN Virtual Private Network (VPN) clients allow users access into restricted and internal corporate resources, sites, and communications. A compromise of an insecure or vulnerable VPN client or application can give an adversary initial access into sensitive environments; access to internal documents; and ability to discover and access other assets and systems on the network. TA0001 - Initial Access TA0004 - Privilege Escalation TA0007 - Discovery TA0008 - Lateral Movement Image Figure 3: VPN Client Risks Mapped to MITRE Tactics NAS Devices QNAP® Synology® Zyxel® Network-attached storage (NAS) devices allow for users on the same network access to folders and files stored on the external NAS drive. Adversaries can leverage vulnerable and unprotected NAS devices for initial intrusion and access files and folders; identify other assets and user accounts associated with the compromised NAS device; drop malicious content onto the NAS device; or manipulate, steal, or delete files and folders. TA0001 - Initial Access TA0004 - Privilege Escalation TA0006 - Credential Access TA0007 - Discovery TA0009 - Collection TA0010 - Exfiltration TA0040 - Impact Remote Access and IT Management Zoho® ManageEngine VMWare® SaltStack Remote access and management software allow network and IT administrators to manage configuration, accounts and access, patching, and changes of systems and resources across the network. A successful compromise of these services or administrator accounts associated with these services can grant adversaries access and visibility to network-attached devices and resources; credentials and privilege levels, and the ability to move across, or execute malware or code, across multiple devices. This grouping of products also includes products that may be open-source and lightweight (individually installed or licensed, rather than enterprise-wide). Such products include Splashtop, TeamViewer, AnyDesk, LogMeIn, VNC, RClone, and others. TA0001 - Initial Access TA0003 - Persistence TA0004 - Privilege Escalation TA0006 - Credential Access TA0007 - Discovery TA0008 - Lateral Movement TA0009 - Collection TA0040 - Impact Image Figure 4: NAS Device and Remote Admin Risks Mapped to MITRE Tactics Protocols and Services RDP SMB/Samba UPnP These protocols allow for remote access and file sharing between systems and can be configured to be internal only or internet-facing. Exploitation of insecure and vulnerable protocols like RDP, SMB, or UPnP can allow an attacker to access the internal network and systems; identify other systems and devices and move across the network; exfiltrate data; or spread malware rapidly across the network to other devices. TA0001 - Initial Access TA0007 - Discovery TA0008 - Lateral Movement TA0010 - Exfiltration TA0040 – Impact Image Figure 5: Protocol Risks Mapped to MITRE Tactics Browsers Google® Chrome Mozilla Firefox/ESR Microsoft® Internet Explorer Microsoft® Edge Vulnerabilities and features in browsers can allow attackers to access and steal browser-stored credentials; execute code on the system; and escape browser-based protections and sandboxing to access the operating system. TA0001 - Initial Access TA0002 - Execution TA0004 - Privilege Escalation TA0006 - Credential Access TA0009 - Collection Image Figure 6: Browser Based Risks Mapped to MITRE Tactics Routers MikroTik® ASUS® Exploitation of routers are common methods of compromise small and medium businesses and residential/home offices. Routers are exploited to add assets to existing botnets; install backdoors and webshells; intercept network traffic; access and obtain credentials; and identify devices and assets connected to the router(s). TA0042 – Resource Development TA0001 – Initial Access TA0002 – Execution TA0003 – Persistence TA0004 – Privilege Escalation TA0006 – Credential Access TA0007 – Discovery TA0008 – Lateral Movement TA0011 – Command and Control Identity Access Management Okta® SSO ForgeRock® AM Oracle® AMS PingOne® Identity Access Management (IAM) products are a highly attractive target for sophisticated threat actors capable of leveraging a combination of stolen or acquired credentials with social engineering via email, SMS, or phone calls. Exploitation of vulnerabilities in public-facing instances are also attack vectors observed for Initial Access, Credential Access, and Privilege Escalation. Exploitation of IAM services allows threat actors the ability to create new accounts, modify existing accounts, and discover sensitive systems for data exfiltration or deployment of malware or ransomware. TA0042 – Resource Development TA0001 – Initial Access TA0004 – Privilege Escalation TA0003 – Persistence TA0006 – Credential Access Assessment Based off vulnerability and exploitation trends over the last 6 months, Optiv’s gTIC assesses with High Confidence that the software, products, and services on our prioritized list above will continue to remain highly popular for targeting and exploitation by cyber adversaries over the next 12 months. This is primarily due to the breadth of access and subsequent effects provided by successful compromise of these products, services, and software. Additionally, Optiv’s gTIC estimates that over the next 12 months, Initial Access and Defense Evasion will Very Likely remain among the predominant and most important ATT&CK Tactics associated with adversary campaigns and attempts, as Initial Access is the first step in a successful attack before any other Tactic or Technique can be executed while Defense Evasion allows an adversary to remain undetected for as long as possible. Organizations and enterprises are advised to take inventory of whether any of the products in our prioritized list are present in their environment in addition to other risk-based variables (i.e., industry vertical, and geography), and assess the potential risk of a compromise of any accounts and systems that are associated with these products. From there, defensive measures and counteractions efforts can be prioritized and proposed to supplement existing security and risk management policies. Optiv’s gTIC provides additional focus lists on Apache, Oracle WebLogic, Microsoft and VMware prioritized software and services. Appendix References 1MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. More information about MITRE ATT&CK® can be found at attack.mitre.org. All information about MITRE ATT&CK belongs to The MITRE Corporation subject to the following copyright: © 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK® is licensed under the Terms of Use located at https://attack.mitre.org/resources/terms-of-use/". 2Links charts and graphs in this report were created by Optiv gTIC leveraging the ThreatQuotient® Investigations platform. ArsTechnica, ‘New Iranian wiper discovered in attacks on Middle Eastern companies’, 2019, https://arstechnica.com/information-technology/2019/12/new-iranian-wiper-discovered-in-attacks-on-middle-eastern-companies/ Chapman, Catherine, ‘Recorded Future reveals top 10 most exploited vulnerabilities in 2018’, 2019, https://portswigger.net/daily-swig/recorded-future-reveals-top-10-most-exploited-vulnerabilities-in-2018 Cisco Talos, ‘VPNFilter Update - VPNFilter exploits endpoints, targets new devices’, 2018, https://blog.talosintelligence.com/2018/06/vpnfilter-update.html Cofense, ‘Sharing Documents via SharePoint Is Always a Good Idea: Not always…’, 2021, https://cofense.com/blog/sharing-documents-sharepoint/ Eclypsium, ‘When Honey Bees Become Murder Hornets’, 2021, https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/ Fidelis Cybersecurity, ‘The Fidelis TRT Assesses Increased Malware Attacks Against QNAP NAS Devices’, 2020, https://fidelissecurity.com/threatgeek/threat-intelligence/fidelis-trt-assesses-increased-malware-attacks-against-qnap-nas-devices/ Fidelis Cybersecurity, ‘Fidelis Threat Intelligence Report – February/March 2021’, 2021, https://fidelissecurity.com/resource/report/fidelis-threat-intelligence-report-february-march-2021/ Lumen, ‘ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks’, 2022, https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/ Malwarebytes Labs, ‘The top 5 most routinely exploited vulnerabilities of 2021?’, 2022, https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/ Microsoft, ‘ZeroLogon is now detected by Microsoft Defender for Identity (CVE-2020-1472 exploitation)’, 2021, https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034 QRATOR, ‘Mēris botnet, climbing to the record’, 2021, https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/ Recorded Future, ‘The Top 10 Vulnerabilities Used by Cybercriminals in 2019’, 2020, https://go.recordedfuture.com/vulnerability-report-2019 TrendMicro, Cyclops Blink Sets Sights on Asus Routers’, 2022, https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html US Cybersecurity & Infrastructure Security Agency, ‘Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities’, 2022, https://www.cisa.gov/uscert/ncas/alerts/aa22-117a Analytical Comments, Statements, and Best Practices Most Likely Course of Action (MLCOA) – the expected and probable tactics, techniques, and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments. Most Dangerous Course of Action (MDCOA) – tactics, techniques, or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments. Words of Estimated Probability – The gTIC employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, the gTIC leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows: Image Confidence statements, as defined by Optiv's gTIC, apply to the reliability and relevance of information reported and are as follows: Confidence Level Optiv gTIC Definition Factors Quantitative Relevance High Confidence information and/or intelligence is assessed to be of high reliability and value to drive operations and decision Established history, repeated observations and patterns, strong precedence to form professional assessment and prediction/extrapolation 75%+ Moderate Confidence information and/or intelligence is reasonable and warrants consideration or action or response where applicable Sporadic observations, limited historical references (too recent or too long of a gap to be considered “established”) 45-65%(+/- 10%) Low Confidence Information and/or intelligence is unreliable or less relevant and provided as situational awareness lack of established history or observations, unreliable or circumstantial evidence < 35% Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart. i This information in this document is for general information purposes only. While Optiv endeavors to keep the information up to date and correct, Optiv makes no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to this document or the information, products, services, or related graphics contained in this document for any purpose. Any reliance you place on such information is therefore strictly at your own risk. By: Aamil Karimi Principal Consultant | Optiv Aamil Karimi has over 16 years of experience in the practice of intelligence analysis and reporting in both the military (HUMINT and targeting) as well as in cybersecurity threat intelligence and risk management. His cybersecurity experience includes supporting incident response, threat research, and CISO teams in building and expanding the threat intelligence capabilities for Fortune 500 companies and managed security services providers (MSSPs). Aamil’s approach to cyber threat and risk intelligence stems from maintaining a focus on the fundamentals of relevance and timeliness for customers and incorporating a risk-based strategy to prioritize collection, analysis, and reporting efforts. This is accomplished by understanding and assessing the current state of each customers’ risk profile and identifying the most likely and most dangerous threats to support business preparedness and defensive actions. Prior to joining the cybersecurity field, Aamil spent six years in Afghanistan on both active duty and civilian deployments supporting HUMINT and targeting efforts for the US Army, US Air Force Office of Special Investigations, and US Special Operations Command in Principal and Subject Matter Expert (SME) capacities. Share: Source Zero® GTIC MITRE ATT&CK Security Awareness Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Would you like to speak to an advisor? How can we help you today? Image E-Book Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation Download Now Image Events Register for an Upcoming OptivCon Learn More Ready to speak to an Optiv expert to discuss your security needs?