In this post, I am going to go over a real world example of how public facing applications are attacked. This is a very common attack, and requires constant monitoring to avoid a possible data breach or compromise.
The MITRE ATT&CK Framework describes the attack as follows:
The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability.
To show how exploiting a public-facing application works, I am going to create a scenario in which a target is using WordPress to host their company blog.
The attacker was tasked to compromise the public facing WordPress website.
Since the target is running WordPress, the attacker will usually check if the server is vulnerable to any of the publicly released vulnerabilities before moving onto manual investigation. The tool WPScan will run a security probe against the target WordPress server to quickly let the attacker know if anything looks interesting. In this specific scenario, the web development team at the target company was late to upgrade WordPress to its latest version, thus leaving open an opportunity for a RCE (Remote Code Execution) attack by using CVE-2016-10033.
The team at legalhackers.com describes CVE-2016-10033 as follows:
An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.
To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the PHPMailer class.