Attackers are increasingly targeting edge devices and infrastructure to hack into enterprises, with the perennial favourite of phishing falling out of favour.

This malign activity is often achieved by exploiting zero-day vulnerabilities in those infrastructure devices, while avoiding deploying malware on Windows devices as much as possible.

Mandiant reports that last year compromise via exploitation increased by six percent to 38%, while phishing dropped 22% to 17%. Part of the rise was due to a surge in Chinese and Russian state sponsored attackers targeting edge devices and infrastructure.

WithSecure, using a different methodology, reports a similar 22% year-on-year rise in exploitation of infrastructure devices. These technologies include virtual private network (VPN) and managed file transfer appliances.

Enterprise Security ‘Blind Spots’

Stephen Robinson, senior threat intelligence analyst at WithSecure Intelligence, said these devices are often installed and left unattended for years.

“These devices typically have no EDR [endpoint detection and response] and limited logging, with functionality limited to trouble shooting rather than monitoring the underlying operating system,” Robinson said during a presentation at the Sphere 24 conference.

“EDR is either not allowed or manufacturers restrict it. This creates blind spots in enterprise security.”

These “blind spots” are spawning mass exploitation events. For example a February 2024 vulnerability in ScreenConnect remote management software was exploited “at scale” to hack systems before even half of them were patched, according to Robinson.

Clip CLOP

Even more notoriously, a flaw in the Progress Software's MOVEit file transfer software was used to deploy the CLOP ransomware. The CVE-2023-34362 vulnerability allowed attackers to execute arbitrary SQL commands on vulnerable servers, allowing hackers to plant a web shell and extract data before deploying ransomware.

Recently it emerged that a threat actor was exploiting zero-days in Cisco ASA firewalls since as early as July 2023, up until early 2024. The attackers used the compromised firewalls for initial access, reconnaissance, and traffic capture and exfiltration with the primary post-compromise target being Microsoft Exchange servers.

Cisco issued patches for two zero-day vulnerabilities in their ASA firewalls - CVE-2024-20353 and CVE-2024-20359 - in late March and early April.

Mikko Hypponen, chief research officer at With Secure, told SC UK that although exploitation of zero day vulnerabilities by nation states is grabbing the headlines, the greater threat from exploitation of infrastructure devices comes from cybercriminals.

“The primary exploitation is by ransomware affiliates,” he said.

Cybercriminals deploying ransomware and exploiting known vulnerabilities was the biggest source of problems, according to WithSecure. This finding is supported by research from other vendors.

We Need to Talk About KEVin

An analysis of the CISA’s Known Exploited Vulnerabilities (KEV) catalogue by security vendor BitSight revealed that a third of organisations analysed had at least one known vulnerability in 2023, with nearly a quarter of those facing five or more.

The study – based on an internet-wide scan – reports that 60% of vulnerabilities remained unaddressed past CISA's deadlines for remediation.

Ransomware vulnerabilities make up 20% of the KEV catalog, but are 64% more prevalent compared to those not known to be used in ransomware, according to BitSight. Fortunately. ransomware-related KEVs are remediated 2.5x faster than non-ransomware KEVs

WithSecure’s Robinson said that patching infrastructure devices is becoming a critical security requirement. “Enterprises need to respond quickly to security incidents,” Robinson added.

John Leyden Journalist