Exploit Public-Facing Application

Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.

An adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.

ID: T0819
Sub-techniques:  No sub-techniques
Tactic: Initial Access
Platforms: None
Version: 1.0
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
G0034 Sandworm Team

Sandworm Team actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. [1] [2]

Targeted Assets

ID Asset
A0008 Application Server
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0948 Application Isolation and Sandboxing

Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.

M0950 Exploit Protection

Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. [3]

M0930 Network Segmentation

Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.

M0926 Privileged Account Management

Use least privilege for service accounts. [4] [5]

M0951 Update Software

Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.

M0916 Vulnerability Scanning

Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.

DS0029 Network Traffic Network Traffic Content

Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.

References