Attackers target edge devices in mass exploitation attacks
New research from WithSecure looks at the trend of mass exploitation of edge services and infrastructure by attackers.
The number of edge service and infrastructure Common Vulnerabilities and Exposures (CVEs) added to the Known Exploited Vulnerability Catalogue (KEV) per month in 2024 is 22 percent higher than in 2023, while the number of other CVEs added to the KEV per month has dropped 56 percent compared to 2023.
Furthermore, edge service and infrastructure CVEs added to the KEV in the last two years are, on average, 11 percent higher in severity than other CVEs.
So why are these devices so attractive? Stephen Robinson, senior threat intelligence analyst at WithSecure, says, "They're attractive to people trying to be stealthy. There's the issue with infrastructure, there's not really much monitoring going on, there's no EDI on these boxes preventing activity. And often the design of the boxes themselves is such that you can't install EDR, or you could but you are not allowed by the manufacturer. So they provide a really good, dark part of the network to work from."
Several recent reports indicate that mass exploitation may now have overtaken botnets as the primary vector for ransomware incidents. There has been a rapid tempo of security incidents caused by the mass exploitation of vulnerable software such as MOVEit, CitrixBleed, Cisco XE, Fortiguard’s FortiOS, Ivanti ConnectSecure, Palo Alto’s PAN-OS, Juniper’s Junos, and ConnectWise ScreenConnect.
"Technological complexity for everyone is growing, whereas before your typical office might have had an internet connection and the computers would be on the network, on the internet, now it's far more likely that you would have VPN gateways, combined hybrid like applications and things like this, and a lot of back and forth going on," Adds Robinson. "One of the big things is a lot of devices running stripped down Linux operating systems. There's obviously benefits to that, but it does mean that we know there are things like Sliver, for example, which is a disclosing framework that runs on Linux and it makes things a lot easier for the attackers if they can get into a Linux box."
The full report is available from the WithSecure site.
Image credit: BeeBright/depositphotos.com