Exploit chains explained: How and why attackers target multiple vulnerabilities

Exploit chain definition

Exploit chains (also known as vulnerability chains) are cyberattacks that group together multiple exploits to compromise a target. Cybercriminals use them to breach a device or system to greater success or impact compared to focusing on a single point of entry.

“The goal with exploit chain attacks is to gain kernel/root/system level access to compromise a system in order to execute an attack,” Forrester analyst Steve Turner tells CSO. “Exploit chains allow attackers to blend in within an organization’s environment by using vulnerabilities in normal system processes bypassing numerous defenses to quickly elevate themselves,” he adds. While exploit chain attacks typically require more time, effort, and expertise for cybercriminals, chaining exploits together allows malicious actors to carry out attacks that can be increasingly difficult to remediate depending on the length and sophistication of the vulnerability sequence.

The risks of exploit chains

The risks posed by exploit chains to organizations are significant. The execution of exploit chains tends to happen quickly, and most organizations aren’t armed with the right playbooks, processes, and tools to be able to aggressively stop or contain the threat, says Turner.

“The unfortunate reality is IT security teams are burdened with the fact that almost all exploits take advantage of known vulnerabilities, and exploit chains, that have not been mitigated,” says Ortal Keizman, research team lead at Vulcan Cyber. “Vulnerability management is a massive game of whack-a-mole facing the IT security profession today and at least 56% of enterprise organizations lack the ability to remediate vulnerabilities at the speed or scale needed to protect their businesses.”

It is safe to assume most cybersecurity leaders are looking at the list of NIST-reported vulnerabilities, or the CISA known-exploited vulnerabilities list, with a pit in their stomach because they simply don’t have a solid grasp on their risk posture, Keizman says. “You can’t mitigate risk if you can’t measure it, and risk prioritization is meaningless if it is not aligned specifically to the customized risk tolerance of a unique organization or business unit.”

Exploit chain use cases and examples

The following examples of exploit chain attack scenarios have either occurred in the real world or are hypothetical but very much possible.

The SolarWinds attack

One of the best examples of a real vulnerability chain attack was the SolarWinds exploit, which went far beyond a single vulnerability that needed to be patched or a supply chain back door that needed to be secured, Keizman says. “In that case, flaws were exploited in both proprietary and open-source code. Hackers developed an advanced persistent threat by first exploiting critical layers of the software supply chain which allowed remote access and elevated privileges inside private networks.”

Once the back door was opened to institutional software factories, the attackers made sure proof-of-concept exploits were available to further infiltrate crown jewels via known vulnerabilities that hadn’t been mitigated for various reasons.

Exploit chains targeting mobile devices

Principal threat hunter at Netenrich John Bambenek sees exploit chains most prominently used in mobile exploitation. “Due to the nature of mobile phone architectures, there is a need to use several exploits to get root access to do the things that mobile malware needs to do,” he tells CSO.

This was evidenced in research by security firm Lookout that detailed several Android surveillance tools used to target the ethnic Uighur population in China for many years. “Exploit chains can target traditional computing devices, but often the chain of exploits has gaps of human behavior or living off the land,” Bambenek adds. For instance, many ransomware attacks, once inside the perimeter, engage in lateral movement or use PowerShell which might give them a need to use another exploit to escalate privilege.

Exploit chains targeting browsers

As for exploit chains that target browser vulnerabilities, Tyler Reguly, member of the vulnerability and exposure research team at Tripwire, cites attackers using phishing emails to direct users to webpages before launching drive-by attacks to exploit browser vulnerabilities. These are then chained with a second vulnerability to perform a sandbox escape, followed by a third to obtain privilege escalation.

From there, attackers want to leverage vulnerabilities to spread out across the network and into specific systems. “When I think of exploit chaining, a single image comes to mind: It is that scene from Friends where Ross is yelling, ‘Pivot!,’ repeatedly,” Reguly adds. Attackers want to use their exploit chain to create pivot points to move around the system and across the network. “In a perfect world, they want your exploits to work together better than Ross, Rachel and Chandler, but depending on an organization’s defenses, they could be as similarly unorganized and still be successful.”

Exploit toolkits used by ransomware attackers

Exploit chains are becoming more common place as part of commoditized exploit toolkits used by ransomware attackers and other adversary groups, says Turner. “Two of the most popular examples are zero-click exploit chains where a user doesn’t need to do anything for it be executed, or something like ProxyLogon, where an attacker can exploit a chain of vulnerabilities to gain admin access to execute whatever code they want.”

This is used regularly by ransomware groups to gain a quick foothold within environments to exfiltrate data and then ransom organizations. “We fully expect that attackers will take advantage of well-known RCE vulnerabilities such as the Log4j vulnerability to create additional exploit toolkits that chain together a string of exploits that can quickly gain them the system/kernel level access they desire,” Turner adds.

Preventing exploit chain attacks

When it comes to mitigating the risk of an exploit chain attack, Reguly says the most important thing to remember is that you can break any link in the chain. “Some damage may already be done, but breaking any link prevents further potential damage.” A robust and mature cybersecurity program will implement techniques, technologies, and personnel that can break every link in the chain, providing the maximum number of potential mitigations or protections against every possible attack.

“If that is not possible in an organization, thinking about the cyber kill chain and the points at which it can be stopped is the next best thing.” Bambenek agrees, adding that while an exploit chain can appear daunting in concept, if there is something – either in the chain of exploitation or other attacker behavior – that can be detected, responders can gain visibility into the problem and address it.

For Keizman, addressing exploit chains head on requires a coordinated effort between a massive and willing open-source community and the closed-source software vendors. “Open-source software development practices have been and will be a great help, but there has been no better time for the commercial and open-source software development camps to join forces.”

As for CISOs, Keizman champions implementing holistic, risk-based cyber hygiene rather than blindly addressing each vulnerability as they arise. “Businesses will lose the game unless they have a strategy to address the crush before it is too late, prioritizing based on their own particular business needs.”