Research POV: Detecting and Deciphering Vulnerability Chains

On September 7th, Citizen Lab unveiled new insights into an exploit chain leveraged by the NSO Group to deliver the Pegasus spyware. Though light on specifics, the report serves as a timely reminder of the risks associated with vulnerability chaining, which is the practice of linking together multiple vulnerabilities to achieve a larger goal, such as gaining unauthorized access to a system or installing malware.

In this post, we will discuss previous significant examples of vulnerability chaining and introduce approaches to detecting similar threats.

Case #1: Pegasus spyware use of vulnerability chaining to target iOS devices

Pegasus, developed by the NSO group, is a sophisticated mobile spyware designed for surveillance and espionage, with the ability to intercept messages and calls and extract extensive data from a device.

Thanks to Citizen Lab's impressive forensic work, we now have insights into this spyware and its development over the years. An early version of the malware (reported in August 2016) serves as an excellent example of the risks of vulnerability chaining.

Our focus here is on a specific version of Pegasus targeting iOS 9.3.3 devices. This version utilized a series of zero-day vulnerabilities, collectively referred to as the "Trident" in Citizens Lab’s report. This vulnerability chain started with exploiting CVE-2016-4657, a weakness rooted in a memory corruption issue within Safari's WebKit, allowing attackers to execute arbitrary code. Pegasus exploited this flaw to gain its initial code execution privileges within the Safari web browser.

Next, Pegasus exploited CVE-2016-4655 to locate the Kernel. KASLR (Kernel Address Space Layout Randomization) is a security measure designed to make it difficult for attackers to predict the location of the kernel in memory. With this vulnerability, Pegasus used a function call that leaks a non-obfuscated kernel memory address in its return value, circumvented KASLR, and mapped the Kernel’s actual memory location to proceed with the jailbreak.

Finally, Pegasus targeted CVE-2016-4656, a memory corruption flaw within the kernel that is the linchpin of the Trident. The method of exploitation varied between the 32-bit and 64-bit versions of iOS and was the last step in jailbreaking the device.

Case #2: HAFNIUM's vulnerability chaining in Microsoft Exchange Servers

In early 2021, Microsoft disclosed a series of vulnerabilities in its Exchange Server software that were being exploited by a threat actor named HAFNIUM. This state-sponsored group, believed to operate out of China, exploited these vulnerabilities in a chained manner to gain unauthorized access to Exchange Servers, allowing them to exfiltrate data, run malicious code, and potentially maintain persistent access to compromised networks.

The attack began with the exploitation of CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Exchange, which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. Once authenticated, HAFNIUM used CVE-2021-26858 and CVE-2021-27065, both post-authentication arbitrary file write vulnerabilities, to deploy a web shell on the compromised server. This web shell provided the attackers with remote control over the compromised system. Additionally, they exploited CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service, which allowed code execution as SYSTEM on the Exchange server, though this required administrator permission or another vulnerability to exploit.

Approaching Vulnerability Chaining Detection with The Data Fabric for Security™

In the intricate world of cybersecurity, understanding vulnerabilities in isolation is no longer sufficient. As shown through the examples outlined above, the real threat often emerges when vulnerabilities are chained together. Leveraging AI and strategic use of data provide core starting points in understanding this challenge.

Extracting Attack Vectors with LLM

Integrating with LLM can enhance the ability to extract attack vectors and assess the impact of vulnerabilities. LLM analyzes the nuances of each vulnerability to identify potential pathways that attackers may exploit. This deep understanding forms the foundation for detecting risky combinations that, when linked, can lead to a full-blown vulnerability chain. Several research papers have already been published in this field, and at Avalor, we are working on translating them into real-world solutions.

Asset Context Integration

Understanding a vulnerability is one thing, but understanding its impact on specific assets is what matters most. Avalor's platform can enhance the insights derived from LLM with important asset context. By mapping vulnerabilities to assets, such as a critical servers or key databases, Avalor ensures that the potential impact of a vulnerability chain is always evaluated in the context of the organization's infrastructure. Avalor’s Data Fabric for Security™ contains all information related to the asset and vulnerability, including network exposure and other mitigating factors such as the presence of EDRs and other security tools.

This asset-centric approach ensures that security teams focus their time efficiently and that remediation efforts are always prioritized based on potential business impact.

About the Researcher

Amir is a security researcher at Avalor. He conducts in-depth research on innovative ways to detect security threats, integrate AI models with security data, and create better remediation solutions using Avalor's Data Fabric for Security™.

A passionate advocate for Linux, eBPF, and Container technologies, Amir achieved first place in Volatility's 2021 contest for developing a memory forensics tool for Docker Containers. When not in front of a screen, he enjoys universal pleasures such as cooking, listening to podcasts, and watching sunsets while sipping a glass of wine.

Want to learn more about how to build a full picture of all your vulnerabilities with business context? Schedule a demo with a product expert today!

‍