Attack Chain

1. The attacker identifies a vulnerable ACL Analytics instance running versions 11.x through 13.0.0.579.
2. The attacker crafts a malicious command that leverages the EXECUTE function within ACL Analytics.
3. The crafted command uses bitsadmin to download a malicious PowerShell script from a remote server.
4. ACL Analytics executes the bitsadmin command, downloading the PowerShell script to the compromised system.
5. The downloaded PowerShell script is then executed with SYSTEM privileges.
6. The PowerShell script establishes a reverse shell connection to the attacker’s controlled server.
7. The attacker gains complete control over the compromised system with SYSTEM privileges.
8. The attacker can perform various malicious activities, including data exfiltration, installing malware, or pivoting to other systems on the network.

Impact

Successful exploitation of CVE-2018-25320 can lead to complete system compromise. An attacker with SYSTEM privileges can access sensitive data, install malware, and pivot to other systems within the organization’s network. This can result in significant financial losses, reputational damage, and legal liabilities. The vulnerability affects all organizations using ACL Analytics versions 11.x through 13.0.0.579, potentially impacting a wide range of sectors that rely on this software for data analysis and compliance.

Recommendation

• Upgrade ACL Analytics to a patched version beyond 13.0.0.579 to remediate CVE-2018-25320.
• Deploy the Sigma rule “Detect Suspicious Bitsadmin Usage for Download” to identify potential exploitation attempts using bitsadmin as described in the attack chain.
• Monitor process creation events for PowerShell scripts being executed with SYSTEM privileges after a bitsadmin download, as this is a common indicator of compromise, activating the “Detect PowerShell Reverse Shell” Sigma rule.
• Implement network monitoring to detect reverse shell connections originating from systems running ACL Analytics.