Live Webinar: Looking Back to See Ahead
Join Nate Warfield, Director of Threat Research and Tyson Supasatit, Director of Product Marketing on February 8th as they take a deep dive into network device attacks. Register Now >
For IT infrastructure, 2024 has had a rough start. 2023 was a record breaking year for infrastructure vulnerabilities, with thousands of organizations falling victim to zero day attacks against Fortinet, Barracuda, Citrix, Cisco, and a myriad of SOHO devices. However, in the first three weeks of this year, the industry has already been rocked by more zero day attacks, against Ivanti Connect Secure and Citrix. Juniper and Fortinet have both disclosed high severity vulnerabilities, which as of this writing have not seen widespread exploitation, though it is an expected eventuality. Researchers at Bishop Fox have discovered that over 150,000 SonicWall firewalls are running versions of firmware with known vulnerabilities, and the internet scanning organization Shadowserver recently observed attackers modifying the implants used in the mass exploitation campaign of Cisco IOS XE devices in late 2023. Finally, researchers from Quarkslab disclosed nine vulnerabilities (dubbed PixieFAIL) in the PXE code used by organizations who use remote boot servers to install new systems.
If this seems like a lot, it’s because it is. The past few years have seen a significant uptick in attacks against network infrastructure, both with zero day and N-day exploits:
- Nation state attackers like Volt Typhoon have taken a marked interest in infrastructure devices used by the United States Government and Department of Defense. As the geopolitical temperature around the world continues to rise, so does the risk to critical infrastructure. As has been the case with the Russian invasion of Ukraine, attacks against communications networks are now a common cyber component to kinetic warfare.
- Criminal ransomware groups are shifting tactics as endpoint security improves. They target network devices because they can avoid EDR, they can quietly pivot their C2 communications through the appliances, and because these appliances offer many opportunities for lateral movement within the victim’s network.
- Device manufacturers continue to ship “enterprise solutions” with vulnerabilities the rest of computing has mostly relegated to computer science history books, leaving organizations scrambling to patch their systems before attackers breach them. In some instances, as seen with Citrix Bleed in 2023, even patching doesn’t fully remediate the issue which poses the questions: do these vendors take security seriously, or are they complacent with their market position and knowledge that most organizations aren’t staffed or funded to rip and replace their devices with an alternative, more secure option? Whether better alternatives exist is hard to quantify, as every industry leading infrastructure vendor has been impacted by wide scale exploitation campaigns in the last few years.
The IT industry, and technology at large, is on a precipice. While huge advancements are being made in AI/ML with billions of dollars being spent to train the next LLMs, security continues to be an afterthought … until it isn’t. Massive attacks like WannaCry and NotPetya were measured in millions of computers infected, billions of dollars in damages and immeasurable cost to the mental health and well being of incident responders. But as damaging as those attacks were, the impact was immediately noticed and remediation efforts were underway within hours or days. Network infrastructure on the other hand provides attackers nearly limitless access inside an organization, with little to no risk of the initial breach being detected.
When the tech news publishes articles saying “50,000 Cisco routers compromised within days” the reality is that number represents organizations, with hundreds or thousands of computers behind them and providing attackers nearly endless dwell-time. Attackers with complete control of network infrastructure can inflict massive damage to the companies they’ve breached, and because these devices run the backbone of the Internet, the risk of attacks like BGP hijacking, DDoS or even cutting off network connectivity to a region or country become very real.
What can organizations do to secure themselves? There’s no easy answer, as even best practices like firewalls, securing management interfaces, patching and monitoring fall short. It is no coincidence that attackers have begun reverse engineering the code which runs services like SSL VPNs, as by their very nature they must be internet exposed. With the drastic rise in zero-day attacks, organizations need to shift the defensive posture of their networks towards an assumed breach model; where more effort is focused on quickly identifying and remediating compromise rather than attempting to stop it outright, which is nearly impossible. Having visibility into something on a device changing, whether it is a known or unknown threat, provides organizations a critical head start in their investigation process without relying on IOCs – the detection of which is too late.
Vendors are quick to call out best practices for deployment and patching, but rarely address the dragons in the room: their poor code quality, insufficient patching and DFIR procedures and a lack of coverage by the security tools which have become standard on desktops and servers. They need to be held accountable, both by customers but more importantly, governments. In 2023, Congress held a hearing regarding Ticketmaster’s poor handling of the Taylor Swift Eras tour, yet Boeing, Comcast and a myriad of others were breached via their infrastructure, millions of customer records stolen, and the response, by and large, was “Shake it off”.
|Citrix CVE-2023-6548 & CVE-2023-6549
|Ivanti Connect Secure
- Infographic: A History of Network Device Threats and What Lies Ahead
- White Paper: Network Infrastructure on the Front Line
- Take a tour of the Eclypsium platform