TL;DR: In recent months, CISA, MITRE, CVE.org, and others have announced critical vulnerabilities in several network infrastructure devices. And, most of these vulnerabilities are known to be exploited.
All these vulnerabilities have one thing in common…
Exploits against them will NOT be detected by endpoint-based threat detection and response systems. A better approach is needed.
Shifting Attack Surface: Beyond the Endpoint
The digital landscape has shifted. When we think of cyber attacks, we typically think of an attack that compromises a server, database, workstation, laptop, or similar device to access sensitive data or gain access to other systems.
While attackers once focused on infiltrating these traditional endpoints, they appear to be shifting to a new entry point: network infrastructure. Switches, routers, network access control (NAC), firewalls, domain name servers (DNS), virtual private network (VPN) appliances, and others – once considered secure components, have now become battlegrounds as an increasing number of vulnerabilities are discovered.
The surge in network infrastructure vulnerabilities is alarming. The US CISA has documented dozens in recent months, each presenting a potential backdoor into networks holding our most sensitive data and critical operations. Here are just a few examples:
29-Jan-2024 | Juniper Networks Releases Security Bulletin for J-Web in Junos OS SRX Series and EX Series
18-Jan-2024 | Citrix Releases Security Updates for NetScaler ADC and NetScaler Gateway
11-Jan-2024 | Juniper Networks Releases Security Bulletin for Junos OS and Junos OS Evolved
10-Jan-2024 | Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways
9-Jan-2024 | Fortinet Releases Security Updates for FortiOS and FortiProxy
14-November-2023 | Fortinet Releases Security Updates for FortiClient and FortiGate
1-November-2023 | CISA Updates Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities
These vulnerabilities are diverse, ranging from zero-day exploits in firmware to misconfigurations and known security holes left unpatched. This poses a significant threat, as compromising even a single device can grant attackers a foothold to pivot laterally, exfiltrate data, disrupt operations, and launch further attacks, all while remaining invisible to endpoint security.
Recent Attacks on Network Infrastructure
There have been several high-profile attacks in the past year that are worth pointing out:
Barracuda Email Secure Gateway (ESG) Appliance Attack
In May 2023 Barracuda announced a critical security vulnerability (CVE-2023-2868) in its email security gateway appliances that attackers exploited as early as October 2022. According to incident response teams from Mandiant, the vulnerability was exploited globally by aggressive and skilled threat actor with suspected links to China.
The attackers were able to trigger a command injection attack that enabled them to remotely execute system commands with the privileges of the ESG product. They were subsequently able to maintain persistence for continued operations and demonstrated the ability to move laterally from the ESG appliance.
While patches were released, Barracuda urged customers to replace affected devices entirely due to potential data exfiltration and malware persistence. There was even concern for patched devices.
While Barracuda offered replacements at no cost, the process and financial aspects were difficult for both their customers and Barracuda. At the time of the incident, the situation was unprecedented and highlights the severity of the vulnerability.
Viasat Modem Attack
Viasat - an American satellite communications company - identified a cyber-attack against its modems affecting the KA-SAT network that took place in February 2022. Suspected to be the work of a Russian-based group using the AcidRain wiper malware in an attempt to disrupt the Ukrainian communication operation, the cyber-attack impacted several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.
The attackers gained access to Viasat’s network through a vulnerability in a Fortinet VPN appliance and they used the AcidRain to overwrite data on the modems, rendering them unusable.
According to Viasat’s description of the incident,
“... forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network. The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”
The European Space Policy Institute issued a final report on this incident which pointed to vulnerabilities in BOTH the modem AND the Fortinet VPN appliance:
“It seems that ViaSat’s SurfBeam internet modems have unpatched vulnerabilities that enable to install and run applications on them without a signature verification or a firmware update, which seems consistent with the upload of the Acid Rain wiper malware.”
“Therefore, the attacker of KA-SAT may have exploited this unpatched vulnerability on Skylogic’s [Fortinet] VPN appliances, and/or the attacker may have previously collected valid VPN credentials from this data breach.”
While some end-customer modems received over-the-air updates, in some cases those updates were insufficient to restore functionality, and new modems were provided to quickly restore service. Viasat eventually shipped tens of thousands of replacement modems to distributors who subsequently replaced the end customer devices.
Endpoint Security is Not Enough
And while endpoint-based security systems like EDR and antivirus hold their ground when it comes to traditional endpoints, they are useless against this rising tide.
This leaves a glaring gap in our defenses – a blind spot for attackers to exploit with potentially devastating consequences.
What to Do About These Infrastructure Attacks?
So, what can we do in the face of this evolving threat landscape?
The answer lies in a rapidly adopted class of security solutions: Network Detection and Response (NDR). Unlike endpoint security, NDR focuses on the network layer, providing unparalleled visibility into the very communications that attackers depend on. Imagine it as a watchful guardian monitoring every conversation occurring within your network, analyzing protocols, traffic patterns, and behavior for behavior indicative of malicious intent.
Here's how NDR plays a critical role in defending against network infrastructure vulnerabilities:
Early Detection and Alerting
- Broad-Based Detection: The most effective NDR systems deploy multiple detection mechanisms, including signature-based detection, machine learning, and behavioral analytics to identify suspicious activity and weak attack signals even if the attacker uses novel techniques. This means zero-day vulnerabilities and new attack methods become easier to detect and remediate.
- Real-time Alerts: NDR doesn't wait for the dust to settle; it provides immediate alerts and detailed reports about potential threats, enabling your security team to react quickly and investigate further. This swift response can be the difference between a contained incident and a full-blown breach.
- Contextualization: NDR gathers crucial context about suspected threats, like hostnames, users, device type, protocols used, packet contents, attack timelines, source and destination IP addresses, and even packet captures. This rich information paints a clear picture of the attack, allowing for faster understanding and more informed response decisions.
Investigation and Response
- Threat Hunting: NDR empowers proactive threat hunting. Security analysts can leverage advanced search and filtering capabilities to scour network traffic for specific indicators of compromise (IOCs) or suspicious patterns. This proactive approach can often nip threats in the bud before they blossom into major incidents.
- Automated Response: Some NDR solutions offer automated response capabilities. These can quarantine infected devices, block malicious traffic, or even reconfigure network devices to mitigate the attack. This rapid response can significantly limit the attacker's impact and buy valuable time for human intervention.
Integration and Orchestration
- Holistic View: NDR integrates seamlessly with other security tools like EDR and SIEM, providing a complete picture of network activity and threats across different domains. This interconnectedness fosters coordinated response efforts and prevents attacks from slipping through the cracks.
- Streamlined Response: NDR can integrate with Incident Response (IR) systems, Security Orchestration and Automation Platform (SOAR) solutions to help automate routine tasks like incident ticketing, vulnerability patching, and response playbooks. In addition, many NDRs can integrate directly with EDR, firewall, and identity management systems to automatically block traffic or quarantine an endpoint. By freeing up security personnel from mundane tasks, this empowers them to focus on complex investigations and strategic decision-making.
But NDR is not a silver bullet. It's crucial to remember that an effective cyber defense requires a layered approach. Patching vulnerabilities promptly, implementing least privilege access controls, and fostering a security-conscious culture are all essential elements of a robust defense posture.
The rise of network infrastructure vulnerabilities signifies a critical shift in the cyber threat landscape. And it’s not enough to deploy endpoint-only systems, exclusively. NDR, with its unique capabilities for network-level detection, response, and integration, has become a vital tool for defenders in the face of this evolving threat. By embracing this shift and employing NDR along with other security best practices, we can bolster our defenses, protect our networks, and keep our valuable data safe in the face of an ever-changing attack landscape.
With this surge in vulnerabilities and attacks against them, time is of the essence. Keep your network infrastructure from becoming the next vulnerability exploited. Embrace NDR and build a layered defense that stands strong against the rising tide of threats in the digital landscape.
To be notified of new blog posts and other news, make sure to subscribe to the Stamus Networks blog and the Stamus Spotlight Monthly Newsletter, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.