Danger: Don’t Get Too Close to (the) Edge (Computing)

Threat actors are increasingly targeting edge devices and services, finds Phil Muncaster

History has a way of repeating itself in cybersecurity. So is the case with perimeter or edge-based attacks. As the National Cyber Security Centre (NCSC) explained in February, threat actors used to favour targeting this part of enterprise IT infrastructure – specifically poor passwords on login services and simple vulnerabilities. As organisations got better at locking these down, they migrated to targeting client software and phishing attacks.

Let’s pause for a quick explanation on edge. An edge device sits at the boundary between your network and the rest of the world. It quickly handles that data before sending it to other computers on a network or storage in the cloud. (See box-out for how others explain ‘edge’.)

As more software manufacturers improve security by design, threat actors are returning to the perimeter. Realising there are poor returns from compromised passwords or misconfigurations, attackers use zero-day vulnerabilities in products like file transfer applications, firewalls, VPNs, and load balancers instead.

Where state operatives go, cyber criminals follow, and vice versa. It’s time to get serious about protecting the edge.

A new Achilles heel

According to the NCSC, finding zero-days in edge products is not necessarily as advanced as it sounds. In fact, many are “trivial to find and exploit” and could reap big rewards. The challenge is that many of the products that sit at the network edge aren’t secure by design, as is the case with most client software, meaning there are plenty of potentially novel bugs to exploit.

Their lack of logging also creates challenges for network defenders and investigators. And because of their location, they provide a perfect gateway to internal networks and resources accessible to anyone from the internet.

Phosphorus Cybersecurity CISO, John Terrill, adds that network-connected IoT and OT/ICS devices are also a potentially major security risk – which can significantly expand the corporate attack surface if not properly managed.

“These unknown, unmanaged and unmonitored devices – including printers, cameras, door controllers, HVACs, WiFi routers, PLCs, HMI Controllers and PDUs – are often deployed and operating with the poorest security hygiene, including default passwords, vulnerable firmware, and insecure network connections,” he tells Assured Intelligence.

“This makes these devices easy edge targets for threat actors and ransomware gangs.”

From theory to practice

This same modus operandi has reaped rich rewards for threat actors numerous times in recent months. When one zero-day is discovered and publicised, other groups often follow suit.

Chinese threat actors were blamed for a long-running cyber-espionage campaign targeting FortiGate edge appliances with zero-day vulnerability CVE-2022-42475 to deploy the novel Coathanger RAT. The Dutch authorities claim as many as 20,000 systems worldwide may have been compromised in this way, warning it’s part of a trend to target edge devices such as VPNs, email servers and firewalls, which are internet-connected but often not protected by endpoint detection and response (EDR) monitoring.

The monthly number of CVEs added dropped 56%, whereas the monthly addition of edge service and infrastructure CVEs rose by 22% over the same period

In a separate case, Chinese actors were accused by Mandiant of exploiting zero-day bug CVE-2023-46747 in F5 BIG-IP Traffic Management User Interface products for remote access and control. And Ivanti’s ConnectSecure VPN product and Policy Secure network access control (NAC) solution have been hit in the same way, as have NetScaler ADC and NetScaler Gateway appliances by the infamous Citrix Bleed zero-day.

A report by WithSecurity reveals that over the past few months, more edge service and infrastructure vulnerabilities were added to the CISA KEV catalogue than regular vulnerabilities. It claims the monthly number of CVEs added dropped 56%, whereas the monthly addition of edge service and infrastructure CVEs rose by 22% over the same period. Exploitation of such bugs has been rising since 2022, it adds.

Action1 has similarly concerning news. Its research reveals that while load balancers were reasonably secure overall, they were disproportionately targeted by threat actors between 2021 and 2023 – leading to a record 17% exploitation rate over the period. This rose to 100% for NGINX and 57% for Citrix products.

Shoring up perimeter defences

The question is how CISOs can protect the edge more effectively. In the long term, the NCSC wants IT buyers to force vendors to build more secure products. But that’s not going to help mitigate today’s threats. For these, it argues that CISOs should consider cloud-hosted rather than on-premises perimeter products, as these will get updated quicker and be regularly monitored by vendors. It also suggests that, if cloud migration isn’t possible, switch off or block any unused interfaces or portals on internet-facing software via firewall – as these “additional services” are often exploited by threat actors.

Finally, the NCSC wants in-house developers to be held to the same high standards to ensure products and services are always secure by design. It argues that cloud hosting and the use of technologies like serverless can limit the damage if a service is ultimately compromised.

People, processes and technology

Netskope field CTO, Steve Riley, argues that people, processes and technology are critical. The technology piece should begin with zero-trust network access (ZTNA) for externally facing services – including multi-factor authentication (MFA) and continuous analysis of access logs for anomalies. This will remove the need for traditional remote access/VPN solutions, which are less secure.

“Organisations may be aware of severe vulnerabilities and available patches but are unable to apply them because this responsibility lies with the MSSP” Steve Riley

“The ZTNA paradigm significantly reduces the attack surface by eliminating the need for incoming connections, thereby avoiding the explicit exposure of entry points within the organisation’s address space that attackers might probe for vulnerabilities or misconfigurations,” he tells Assured Intelligence.

Second, he recommends revisiting security processes in the context of edge threats, such as risk-based patching and continuous auditing of configurations, to improve security posture. Riley also argues that CISOs should push vendors to adopt security-by-design processes and do their due diligence when adopting new technologies.

“An often overlooked but critical aspect is the management of remote access devices provided by managed security service providers (MSSPs),” he adds.

“Organisations may be aware of severe vulnerabilities and available patches but are unable to apply them because this responsibility lies with the MSSP. Therefore, it is important to include specific contract clauses that define service level agreements (SLAs) for the timely application of security patches in the event of severe vulnerabilities.”

The third pillar involves user education to ensure employees understand how to use perimeter-based tools and applications securely and the latest social engineering tactics. Riley claims this is especially important in the context of mass hybrid working and the use of remote access tools.

“Human beings are, regardless of the technology in use, the most exposed element of the attack chain,” he concludes.

“Organisations must ensure that users are vigilant and informed about these risks. The battle for perimeter security must be a collective effort, with individuals playing a primary role rather than being viewed as the weakest link.”