TL;DR: In recent months, CISA, MITRE, CVE.org, and others have announced critical vulnerabilities in several network infrastructure devices. And, most of these vulnerabilities are known to be exploited.
All these vulnerabilities have one thing in common…
Exploits against them will NOT be detected by endpoint-based threat detection and response systems. A better approach is needed.
The digital landscape has shifted. When we think of cyber attacks, we typically think of an attack that compromises a server, database, workstation, laptop, or similar device to access sensitive data or gain access to other systems.
While attackers once focused on infiltrating these traditional endpoints, they appear to be shifting to a new entry point: network infrastructure. Switches, routers, network access control (NAC), firewalls, domain name servers (DNS), virtual private network (VPN) appliances, and others – once considered secure components, have now become battlegrounds as an increasing number of vulnerabilities are discovered.
The surge in network infrastructure vulnerabilities is alarming. The US CISA has documented dozens in recent months, each presenting a potential backdoor into networks holding our most sensitive data and critical operations. Here are just a few examples:
29-Jan-2024 | Juniper Networks Releases Security Bulletin for J-Web in Junos OS SRX Series and EX Series
18-Jan-2024 | Citrix Releases Security Updates for NetScaler ADC and NetScaler Gateway
11-Jan-2024 | Juniper Networks Releases Security Bulletin for Junos OS and Junos OS Evolved
10-Jan-2024 | Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways
9-Jan-2024 | Fortinet Releases Security Updates for FortiOS and FortiProxy
14-November-2023 | Fortinet Releases Security Updates for FortiClient and FortiGate
1-November-2023 | CISA Updates Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities
These vulnerabilities are diverse, ranging from zero-day exploits in firmware to misconfigurations and known security holes left unpatched. This poses a significant threat, as compromising even a single device can grant attackers a foothold to pivot laterally, exfiltrate data, disrupt operations, and launch further attacks, all while remaining invisible to endpoint security.
There have been several high-profile attacks in the past year that are worth pointing out:
In May 2023 Barracuda announced a critical security vulnerability (CVE-2023-2868) in its email security gateway appliances that attackers exploited as early as October 2022. According to incident response teams from Mandiant, the vulnerability was exploited globally by aggressive and skilled threat actor with suspected links to China.
The attackers were able to trigger a command injection attack that enabled them to remotely execute system commands with the privileges of the ESG product. They were subsequently able to maintain persistence for continued operations and demonstrated the ability to move laterally from the ESG appliance.
While patches were released, Barracuda urged customers to replace affected devices entirely due to potential data exfiltration and malware persistence. There was even concern for patched devices.
While Barracuda offered replacements at no cost, the process and financial aspects were difficult for both their customers and Barracuda. At the time of the incident, the situation was unprecedented and highlights the severity of the vulnerability.
Viasat - an American satellite communications company - identified a cyber-attack against its modems affecting the KA-SAT network that took place in February 2022. Suspected to be the work of a Russian-based group using the AcidRain wiper malware in an attempt to disrupt the Ukrainian communication operation, the cyber-attack impacted several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.
The attackers gained access to Viasat’s network through a vulnerability in a Fortinet VPN appliance and they used the AcidRain to overwrite data on the modems, rendering them unusable.
According to Viasat’s description of the incident,
“... forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network. The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”
The European Space Policy Institute issued a final report on this incident which pointed to vulnerabilities in BOTH the modem AND the Fortinet VPN appliance:
“It seems that ViaSat’s SurfBeam internet modems have unpatched vulnerabilities that enable to install and run applications on them without a signature verification or a firmware update, which seems consistent with the upload of the Acid Rain wiper malware.”
“Therefore, the attacker of KA-SAT may have exploited this unpatched vulnerability on Skylogic’s [Fortinet] VPN appliances, and/or the attacker may have previously collected valid VPN credentials from this data breach.”
While some end-customer modems received over-the-air updates, in some cases those updates were insufficient to restore functionality, and new modems were provided to quickly restore service. Viasat eventually shipped tens of thousands of replacement modems to distributors who subsequently replaced the end customer devices.
And while endpoint-based security systems like EDR and antivirus hold their ground when it comes to traditional endpoints, they are useless against this rising tide.
This leaves a glaring gap in our defenses – a blind spot for attackers to exploit with potentially devastating consequences.
So, what can we do in the face of this evolving threat landscape?
The answer lies in a rapidly adopted class of security solutions: Network Detection and Response (NDR). Unlike endpoint security, NDR focuses on the network layer, providing unparalleled visibility into the very communications that attackers depend on. Imagine it as a watchful guardian monitoring every conversation occurring within your network, analyzing protocols, traffic patterns, and behavior for behavior indicative of malicious intent.
Here's how NDR plays a critical role in defending against network infrastructure vulnerabilities:
But NDR is not a silver bullet. It's crucial to remember that an effective cyber defense requires a layered approach. Patching vulnerabilities promptly, implementing least privilege access controls, and fostering a security-conscious culture are all essential elements of a robust defense posture.
The rise of network infrastructure vulnerabilities signifies a critical shift in the cyber threat landscape. And it’s not enough to deploy endpoint-only systems, exclusively. NDR, with its unique capabilities for network-level detection, response, and integration, has become a vital tool for defenders in the face of this evolving threat. By embracing this shift and employing NDR along with other security best practices, we can bolster our defenses, protect our networks, and keep our valuable data safe in the face of an ever-changing attack landscape.
With this surge in vulnerabilities and attacks against them, time is of the essence. Keep your network infrastructure from becoming the next vulnerability exploited. Embrace NDR and build a layered defense that stands strong against the rising tide of threats in the digital landscape.
To be notified of new blog posts and other news, make sure to subscribe to the Stamus Networks blog and the Stamus Spotlight Monthly Newsletter, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.