Attack Surface Management , Endpoint Security , Security Operations

Surge in Attacks Against Edge and Infrastructure Devices

Increase in Known Vulnerabilities and Zero-Days Is Fueling Mass Hacking Campaigns
Surge in Attacks Against Edge and Infrastructure Devices
Hackers target edge devices with increasing frequency. (Image: Shutterstock)

Cybersecurity devices deployed on the network edge are increasingly targeted by attackers to gain access to enterprise environments, experts warn.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

Compounding the problem: Research finds that many network defenders appear to be having trouble patching vulnerable edge devices - including firewalls, email gateways and VPN gateways - in a timely manner. A swath of critical vulnerabilities in such devices has come to light in recent years (see: The Peril of Badly Secured Network Edge Devices).

The prevalence of large-scale attacks exploiting network devices nearly doubled last year, driven by an abundance of vulnerabilities to exploit, according to a new report from Rapid7. "We found that 36% of the widely exploited vulnerabilities we tracked occurred within network edge technology. Of those, 60% were zero-day exploits," the report says. "These technologies represent a weak spot in our collective defenses."

Many more such vulnerabilities are being found, said Tim West, head of threat intelligence at WithSecure, in an interview at least week's Infosecurity Europe conference in London.

Researchers at WithSecure recently analyzed the Known Exploited Vulnerabilities Catalog from the U.S. Cybersecurity and Infrastructure Security Agency for network edge devices bug trends.

The firm's review found that "over the last two years, on average, there is an increasing rate of vulnerabilities added to it that pertain to the infrastructure layer or the edge of a network - so broadly, VPN services or firewalls or network equipment as infrastructure, or things like remote management tooling, managed file transfer tooling, as edge services," West said.

Not just criminals but also state-sponsored attackers have been exploiting such devices, Google Cloud's Mandiant threat intelligence unit recently warned (see: State Hackers' New Frontier: Network Edge Devices).

One challenge for defenders: Many network edge devices function as "black boxes which are not easily examined or monitored by network administrators," and also lack antimalware or other endpoint detection and response capabilities, WithSecure's report says. "It is difficult for network administrators to verify they are secure, and they often must take it on trust. Certain types of these devices also provide edge services and so are internet-accessible."

Many of these devices don't by default produce detailed logs that defenders can monitor using security incident and event management tools to watch for signs of attack.

"These devices are supposed to secure our networks, but by itself, there's no way I can install an AV client on it, or an EDR client, or say, 'Hey, give me some fancy logs about what is happening on the device itself,'" said Christian Beek, senior director of threat analytics at Rapid7, in an interview at Infosecurity Europe 2024. "They were never designed for that. They were just designed for a single purpose - like keeping the bad guys out and allowing traffic in and out in the right way. So that's definitely a challenge."

Unpatched devices abound. Cyber risk management firm BitSight said its 2023 internet scans found that of 1.4 million organizations with public-facing systems, over one-third had at least one vulnerability that was featured in CISA's Known Exploited Vulnerabilities Catalog, and more than one-fifth of organizations had five or more KEVs. On average, each vulnerability remained unpatched for more than 150 days, despite experts saying that many organizations try to deal with them within 15 days.

On average, attackers in 2023 took just five days to start scanning for critical vulnerabilities - those that are in the KEV catalog - and 68 days for other types of flaws, according to Verizon's latest Data Breach Investigations Report, released last month (see: Tracking Data Breaches: Targeting of Vulnerabilities Surges).

Attackers haven't shied away from targeting such hardware. Devices or software with vulnerabilities that have been exploited en masse since the beginning of 2023 include: Cisco XE, Citrix Bleed, ConnectWise ScreenConnect, FortiGuard FortiOS, Ivanti Connect Secure, Juniper's Juno, MOVEit secure file transfer software and Palo Alto's PAN-OS.

More vulnerabilities in edge devices have been coming to light than ever before, as detailed in the Common Vulnerabilities and Exposures list of publicly disclosed flaws. On average, new CVEs discovered in edge devices doubled from two per month in 2022 to 4.75 in 2023, and so far this year the number is 22% higher than that on average per month, WithSecure found.

While the number of newly discovered non-edge and non-infrastructure device CVEs also increased through 2023, WithSecure found that so far in 2024 they have significantly decreased, the company said, while "edge service and infrastructure CVEs added to the KEV in the last two years are, on average, 11% higher in severity than other CVEs."

Another challenge is that nearly two-thirds of vulnerabilities exploited in network and security appliances last year were first exploited as zero-day flaws, Rapid7 said.

Beek said part of the challenge is the war chest that ransomware groups have amassed.

"I've been dealing with ransomware almost most of my career, and people keep paying the ransom," Beek said. "We're enabling threat actors to buy zero-days, and that's a scary development because if they have zero-days, the damage is big. Especially imagine you have a certain appliance securing your network, and these ransomware actors have a zero-day. It's not only one appliance at company A. No, it's globally. So certainly they can hit multiple companies at the same time."

This week, researchers from Symantec's threat hunting team reported that a group associated with Black Basta ransomware may have exploited a zero-day vulnerability in Windows weeks before it was patched by Microsoft, which said it didn't appear that the flaw had been exploited in the wild.

Symantec said the Cardinal cybercrime group, aka Storm-1811 and UNC4393, appeared to have built a tool for exploiting the flaw in the Windows Error Reporting Service, now tracked as CVE-2024-26169, at least two weeks before Microsoft shipped a patch.

Since zero-day flaws and other exploitable vulnerabilities in edge networking gear - or n-days, for known flaws - show no signs of extinction, Rapid7 recommends organizations move much more quickly to remediate them.

"Network edge devices are at particular risk of n-day and zero-day exploitation, and vulnerabilities in these devices should be mitigated as soon as vendor-provided patches or workarounds are available," Rapid7 said. "Ensuring that logging is enabled and working will help security teams more effectively hunt for indicators of compromise and other suspicious activity during incidents."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.