CYBER SECURITY TRENDS

EXPANDING ATTACK SURFACE: THE EMERGING RISK OF EDGE DEVICES

RANSOMWARE ZERO-DAYS AND MEGA ATTACKS
TOKENS UNDER ATTACK: THE CLOUD’S ACHILLES HEEL
STATE-AFFILIATED HACKTIVISM AND WIPERS BECOME THE NEW NORMAL
PIP INSTALL MALWARE: SOFTWARE REPOSITORIES UNDER ATTACK

Often under-prioritized in security strategies, edge devices have long been exploited by cybercriminals to setup botnets for DDoS attacks and to orchestrate spam campaigns.

In an ongoing trend that’s likely to reach its zenith this year, edge devices have become the target of nation-state APTs and financially motivated advanced threat actors, who are using them either as a part of a sophisticated exfiltration infrastructure or as entry points for penetrating broader network systems of carefully selected entities and devices. Initially leveraged by state actors, this strategy has since been adopted by financially motivated sophisticated groups who exploit misconfigurations and known vulnerabilities in unpatched systems for ransomware attacks.

Edge devices exploited

Edge devices like routers, switches, VPN hardware and security appliances are often neglected in security analyses. They are difficult to log and monitor, lack EDR protection and serve as security devices in and of themselves. They are often overlooked, left with default passwords, inadequately patched, or reach patchless end-of-life status. Vulnerable, these internet-facing devices have been routinely exploited to construct botnets. The Mirai malware and its many spinoffs, for example, infamously infect Linux routers using default passwords, leveraging them for DDoS attacks and spam campaigns. Since these breaches do not necessarily directly affect the networks, they hardly received any attention.

Edge device exploitation has undergone significant changes in recent times, now conducted by nation-state APTs to construct stealthy-communication and exfiltration infrastructure for covert operations. A recent Check Point research report revealed a Chinese operation targeting TP-Link routers with dedicated firmware malware. The state-sponsored Camaro Dragon APT deployed a custom backdoor called “Horse Shell” to maintain persistence as well as for file transfer and network tunneling, thus anonymizing their communication through a chain of infected nodes. This methodology of using compromised routers as covert networks for C&C obfuscation was previously reported as RedRelay and ZuoRAT and continued to thrive in 2023.

Edge devices are not only targeted for use as components of communication infrastructure, but also as initial entry points into networks. In a sophisticated operation reported by Microsoft in May, the Chinese state-sponsored Volt Typhoon APT group employs a dual strategy. This group exploited SOHO (Small Office/Home Office) edge devices and integrated them into their communication infrastructure later called the KV-botnet. This botnet was then used to disguise command and control (C&C) communications from other compromised edge devices within critical infrastructure organizations in the United States. Unlike Camaro Dragon, this case did not involve dedicated firmware malware but rather the KV-botnet comprised of end-of-life Cisco and DrayTec routers as well as NETGEAR firewalls. Fortinet FortiGuard devices in critical U.S. infrastructure were separately breached, serving as gateways for espionage and potential disruption, with hidden communication via the KV-botnet.

Not only end-of-life unpatched known vulnerabilities are used to exploit edge devices. Mandiant researchers reported extensive zero-day exploitation and employment of customized malware to target edge and network devices by Chinese APTs like UNC3886 and UNC4841. UNC3886 has used dedicated customized malware to target Fortinet security devices and VMware servers, devices without EDR solutions.

UNC4841 conducted a global espionage campaign by exploiting a zero-day vulnerability in another edge device, the Barracuda Email Security Gateway (ESG). In one of the more aggressive campaigns reported this year, attackers targeted public and private sector entities worldwide with an emphasis on those in the Americas. Almost a third of the affected organizations identified were government agencies. In response to discovery and mitigation efforts, attackers deployed additional malware designed to maintain persistence on a subset of breached entities. This aggressive persistent campaign has led to the exceptional supplier recommendation to replace all ESG appliances, as they are deemed unsafe.

Edge devices are not exploited exclusively by Chinese actors. Russia's military intelligence affiliated APTs extensively used this strategy against Ukrainian targets during the ongoing conflict. Since the start of the Russian-Ukrainian war, a barrage of cyber-attacks significantly damaged Ukraine’s energy, media, telecommunications, and financial industries, as well as government agencies. The intensity and volume of these attacks were facilitated by compromising edge devices, enabling Russian threat actors to maintain persistent access to targeted networks and conduct multiple attacks over time. The Russian-linked APT28 group was observed deploying the JaguarTooth malware, which was specifically designed to exploit vulnerabilities in CISCO IOS routers, which despite being reported back in 2017, the vulnerabilities still prove to be effective.

Broadening their cyber-attack landscape beyond Ukraine, in late 2023, the Russian APT Sandworm targeted Denmark's infrastructure and energy sectors. In what signals a significant escalation, the group executed attacks on 22 Danish entities, leveraging two zero-day vulnerabilities in Zyxel firewalls. This strategic move to compromise critical facilities in Denmark, targeting vulnerable edge devices provided attackers with remote code execution (RCE) capabilities on beached platforms. As a result, several companies were forced to halt normal operations and temporarily resort to 'Island Mode' functioning. This shift underscores Sandworm's extensive capability to exploit vulnerabilities and coordinate attacks on a wide scale.

Financially motivated ransomware groups are also targeting edge devices. CACTUS, Akira, and LockBit exploit misconfigured or vulnerable Citrix and Fortinet VPN devices in their attacks. Groups such as FIN8, LockBit, and Medusa leveraged critical unpatched vulnerabilities in Citrix NetScaler devices to compromise large companies. These attacks progressed to the deployment of persistent webshells that remain active even after the patching and rebooting. Breaches using edge devices often culminate in ransomware attacks deployed to compromised networks.

Previously targeted primarily by Mirai-like botnets for spam and DDoS attacks, edge devices are now exploited by more sophisticated actors in precise operations. They are used as communication infrastructure for other campaigns, as initial access points or as a means of disrupting their original networks. What started as a sophisticated method, practiced by nation-state actors to gain stealthy access, was later adopted by financially motivated attackers using existing toolkits. This focused targeting of edge devices has proven effective for breaching high-profile targets while avoiding detection for extended periods. Without timely patching, sufficient monitoring and detection systems, specifically for edge devices, publicly-facing network devices will remain a massive blind-spot. As the threat landscape evolves, so should our security solutions and monitoring capabilities.

Eli Smadja
Security Research Group Manager

The escalating threat that is edge device exploitation demands a recalibration of security strategies. We must fortify our cyber security infrastructure.

Leverage the recommendations outlined in this section — Securing against sophisticated edge device attacks is critical for businesses in 2024.

PREVIOUS TREND
BACK TO TOP
NEXT TREND