Remote Code Execution (RCE) is when an attacker runs malicious code on your IT infrastructure. The purpose of RCE ranges from further infiltrating your network, stealing information, or otherwise damaging, extorting, or stealing from you or your business. Because of this, protecting your computers and network from RCE attacks is vital.
This article explains what remote code execution is, and the impacts of RCE on your business. It also explains the mechanisms used to exploit your infrastructure, the potential risks, and details RCE prevention strategies you should implement.
What is remote code execution (RCE)?
RCE vulnerabilities allow remote attackers to execute their code on your network-connected machines. This usually leverages existing vulnerabilities in your network or computer systems: once a vulnerability that allows for remote code execution is identified, it can be used to perform malicious actions and further open your network to cybersecurity attacks.
The key concept behind RCE is that no previous level of access is required for a successful exploit, unlike local code execution (LCE) attacks where some level of user privilege is already available to the attacker on the system.
Both RCE and LCE code execution attacks are known as arbitrary code execution (ACE).
RCE exploitation techniques and mechanisms
There are several exploitation techniques commonly used to successfully perform an RCE attack on your infrastructure:
- Buffer overflow or out-of-bounds write: A buffer overflow occurs when more data is written to a buffer (a location in computer memory for storing temporary data) than it can hold, causing existing data for the running application to be overwritten. If this new data includes malicious code, it may be executed by the remote system.
- Deserialization: Serialization/deserialization is the process of converting data into character strings for transmission. If the data passed to the program that performs the deserialization contains malicious code, the program may execute it if it does not perform proper validation or sanitization.
- Command and code injection: Command and code injection can lead to remote code execution when input is not properly sanitized (for example, input from web forms being used to execute shell commands or SQL statements).
Any network-connected software is vulnerable to RCE, which is why it is important to implement robust IT security measures to protect yourself and your organization from cybersecurity incidents.
RCE vulnerability detection and prevention strategies
To effectively protect your IT infrastructure and data and ensure business continuity, you should take active measures to protect yourself from RCE attacks, such as deploying endpoint detection and response (EDR) as well as network-level protections such as firewalls to prevent an attacker from gaining further access in the event of a successful RCE exploit.
You should regularly assess your potential cybersecurity vulnerabilities and ensure that your software is always up-to-date to protect against known RCE exploits in the software you rely on. If you are using legacy or unpatched software, you should ensure that its network access is restricted so that it cannot be used to gain a foothold in your systems. You should also deploy a network monitoring solution that alerts your IT team of any suspicious activity to help protect against zero-day attacks.
If you develop your own software in-house you should regularly review your code and its dependencies for RCE vulnerabilities. Static code analysis tools can assist you in pinpointing problems in your software by identifying potentially unsafe code (for example, functions that allow unsanitized code to be passed to the shell). Dynamic analysis tools can also be used to examine your compiled and running applications to identify vulnerabilities that static analysis may miss.
Penetration testing should be performed regularly to simulate attacks and uncover potentially exploitable remote code execution vulnerabilities and other cybersecurity weaknesses, and to ensure that the monitoring and logging solutions you have in place are able to detect an attack in progress.
Potential risks and impacts of RCE
Remote code execution does not require physical access and, without proper monitoring and security measures, can go undetected. The risks of a successful RCE attack on your business IT infrastructure include:
- Further infiltration of your systems: Once a foothold has been established, bad actors may gain further access to your systems. For example, a compromised public-facing web server may be used to gain access to internal IT assets that it connects to, even if those assets are protected by firewalls and not publicly accessible.
- Access to sensitive or protected data: Proprietary trade information, and data you process and store about your users, including personally identifiable information (PII) can be incredibly valuable to attackers, and may be used to extort your business or your customers. PII leaks harm your business’ reputation, and can also lead to legal ramifications under privacy laws like GDPR and CCPA.
- Deployment of malware (including rootkits): Once code can be successfully executed on a remote system, it can be used to install malware, including rootkits for maintaining persistent access and backdoors, trojans for exfiltrating data, and ransomware that denies you access to your files (and may even publicly disclose their contents) unless you pay the attacker.
The disruption caused by cybersecurity attacks can be detrimental to a business’s survival. Losing operational data or being exposed to liability for the misuse of regulated data has led to many businesses having to close up shop.
Real-world examples of RCE attacks
There are several notable examples of what can happen if a business does not take adequate measures to protect themselves from cyber threats. The Equifax data breach in 2017 was caused by an RCE exploit to the Apache Struts web framework, and led to the personal information of over 140 million people being compromised. This led to 1.4 billion dollars in costs to Equifax, the downgrading of the company’s financial rating, and a 1.38 billion dollar settlement with affected users.
In 2021, several zero-day exploits allowed for remote code execution in Microsoft’s Exchange Server, allowing hackers to steal data and install backdoors into systems. This resulted in thousands of data breaches worldwide for organizations using the email platform (the true impact of which may never be known), and significant reputational damage.
One famous RCE vulnerability that affected multiple software products/platforms and was widely exploited is the Log4shell vulnerability in Log4j. This software is used on millions of systems, and given how easy it was to exploit resulted in RCE attacks against software from a huge number of vendors who relied on the Log4j logging utility in their commercial software and internal tools.
RCE attack response and mitigation
You must have policies and mechanisms in place to deal with a successful RCE attack on your business. This should include training for employees to recognize and respond to cybersecurity incidents, and monitoring and alerting (including intrusion detection systems) so that if an attack does occur, it can be dealt with immediately.
Once an attack has been contained, the impact should be assessed, and your systems should be examined and any remaining threats eliminated. This should involve rolling back any changes made by the malicious code, including removing malware and reversing any configuration changes that may have been made to create a backdoor into your systems.
Backup and disaster recovery are key here: You can potentially roll back to a known good state prior to the attack, greatly speeding up the time it takes to recover. If this is not possible, configurations and files can be compared to help identify what the attacker was able to accomplish. In the event of a ransomware attack resulting from RCE, being able to restore from a backup may be the only way to ensure business continuity.
Once an attack has been stopped and rectified, an extensive post-mortem should be performed: the attack vector should be identified, and the vulnerability used in the attack should be patched or protected. The response time and impact of the attack should be reviewed and any policies and processes used to mitigate against the attack revised if necessary.
Protecting against remote code execution at enterprise scale
A successful RCE or other cybersecurity attack against your organization’s IT infrastructure could be catastrophic, leading to unexpected costs and legal repercussions that may be difficult to recover from. With the increasing complexity of IT infrastructure, including multiple software platforms hosted on a hybrid of on-premises and cloud infrastructure, it is important to have full visibility over your attack surface.
NinjaOne provides a remote monitoring and management (RMM) solution that lets you manage all of your endpoints and IT infrastructure, wherever it is, so that you can take proactive measures to protect against remote code execution attacks, and identify suspicious behavior that may indicate an attack in progress.
