The recent scramble by organizations to patch a dangerous security flaw in F5 Networks’ BIG-IP product gave us a glimpse of the new reality facing the enterprise in the post-COVID world: network controls are coming up dangerously short.

Organizations lack visibility into the external network of internet-connected services and devices growing wildly outside their firewalls to support a workforce that will be remote for the foreseeable future. However, these IP-connected assets aren’t in the purview of most security controls. In fact, most organizations don’t have any security controls for the new IT needed to enable remote employees—remote access devices, VPNs, and perimeter network devices, to name a few.

Over the past three months, the headlines have been full of dozens of new vulnerabilities found in these devices coming to light, including Cisco, Microsoft, Citrix, and IBM products. Each of these vulnerabilities can take down an organization whether its security team knows it’s part of its attack surface or not. Threat actors are taking note, realizing these security flaws, invisible to security teams, are inroads for an attack. For organizations, keeping track of these new assets and their vulnerabilities takes a new type of technology that looks at an organization’s digital presence from the outside-in.

Below, we’ve used our global internet telemetry to map this quickly evolving external attack surface to demonstrate how businesses now look to threat actors online, and what they need to keep track of beyond the firewall.

Threat Landscape

2020 has seen a steady clip of vulnerabilities of remote access and perimeter devices announced. Already, in the first half of this year, 18X high-to-critical vulnerabilities in these systems have been reported:

March 2020

CVE-2020-10189: Zoho Desktop Central Remote

Code Execution Zero-day Vulnerability

CVE-2020-0796: Microsoft SMB Remote Code

Execution Vulnerability

April 2020

CVE-2020-2883 Oracle WebLogic Remote Code

Execution Vulnerability

Vulnerable Remote Access & Perimeter Devices: The Hidden Attack Surface That’s Growing Out of Control

This above list does not include the legacy vulnerabilities from 2019 listed below, which intelligence shows threat actors are also actively exploiting:

• CVE-2019-1579: PAN-OS Remote Code Execution Vulnerability

• CVE-2019-19781: Citrix NetScaler ADC Arbitrary Code Execution Vulnerability

• CVE-2019-0604: Microsoft SharePoint Remote Code Execution Vulnerability

• CVE-2019-10149: Exim Internet Mailer Remote Code Execution Vulnerability

• CVE-2019-15846 Exim Internet Mailer Remote Code Execution Vulnerability

• CVE-2019-16928 Exim Internet Mailer Heap-based Overflow Vulnerability

May 2020

CVE-2020-3280 - Cisco Unified Contact Center

Express Remote Code Execution Vulnerability

2020-05-07 High-Severity Flaws Within Cisco

ASA and Firepower Products Disclosed

CVE-2020-9314 & CVE-2020-9315: Oracle iPlanet

Web Server (v7.0) Sensitive Data Exposure and

Image Injection

2020-05-11 Multiple Vulnerabilities Reported in

Citrix ShareFileJune 2020

CVE-2020-4450, CVE-2020-4448 - Remote

Code Execution Within IBM WebSphere

Application Server July 2020

CVE-2020-2021: PAN-OS Authentication Bypass

in SAML

2020-7-10 Citrix Application Delivery Controller,

Citrix Gateway, and Citrix SD-WAN WANOP

Multiple Vulnerabilities

CVE-2020-5902: Remote Code Execution

Vulnerability in F5 Big-IP Network Devices

CVE-2020-6287 SAP NetWeaver AS Java LM

Configuration Wizard Critical Vulnerability

RiskIQ Global Observations

Using RiskIQ’s Internet Intelligence Graph, we are able to understand the impact these vulnerabilities may have on organizations. Pulling total observations from June 1, 2020 to the present, we see:

61,869Palo Alto Global Protect

967,437BIG-IP

7,496IBM WebSphere

Application Server

14,563Oracle WebLogic

42,826Microsoft Remote Desktop Gateway

86,773Citrix NetScaler Gateway

7,970Citrix ADC

1,982Cisco ASA & Firepower

2,848Oracle iPlanet Web

Server 7.0

2,629SAP NetWeaver

1,988Zoho Desktop Central

2,766Citrix ShareFile

Advanced Actors Leveraging these Vulnerabilities

Both the US and Australian governments have advised companies to address these critical vulnerabilities, with US Cyber Command recommending that organizations patch both the F5 and PAN-OS vulnerabilities immediately.

Additionally, security firms FireEye and ClearSky Security released reports this year highlighting state-sponsored actors’ use of the above vulnerabilities to gain footholds in target victims’ networks. FireEye outlined activity by APT 41, where the group has leveraged Citrix and Cisco vulnerabilities in recent attack campaigns. ClearSky Security described an operation by the Iranian group Fox Kitten, where actors target vulnerable VPN systems in their campaigns specifically.

Finally, both the United States National Security Agency (NSA) and Australian Signals Directorate (ASD) have warned of state-sponsored actors that leverage a broad swath of vulnerabilities to deploy web shell malware on vulnerable devices. By doing so, they gain a valuable foothold into target organizations.

Situational Awareness into your Attack Surface is Critical

RiskIQ Digital Footprint provides organizations with the ability to quickly gain situational awareness into their attack surface across this rapidly evolving vulnerability and threat landscape. Our breadth and depth of data collection continue to grow as we rapidly deploy detections for new devices and software components. This internet-wide visibility enables our customers to answer questions and effectively understand risk across their attack surface.

For Digital Footprint customers, the above visuals should look familiar. These reports and dashboards are included with your subscription. Beyond the pre-baked visuals, you can also build out custom panels of your own or extend the existing widgets.

© 2020 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners.

RiskIQ is the leader in attack surface management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by thousands of security analysts, security teams and CISO’s, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk and take action to protect the business, brand, and customers. Try RiskIQ Community Edition for free by visiting https://www.riskiq.com/community/. To learn more about RiskIQ, visit www.riskiq.com.

Learn how RiskIQ could help protect your digital presence by scheduling a demo today.

22 Battery Street, 10th Floor San Francisco, CA. 94011

sales@riskiq.net RiskIQ.com

1 888.415.4447 @RiskIQ

If potentially vulnerable devices are identified within your footprint, you can click the dashboard widgets to run a query against your inventory. Doing so reveals the exact assets that match the query.

Viewing the details of an asset helps identify what else is connected to it and whether it has clear ownership within the organization. From this view, vulnerabilities can easily be dismissed if they are not applicable, though RiskIQ will automatically adjust these values as our continuous monitoring engine detects a change.

A modern organization’s digital presence is a mosaic of internet-connected hardware, software, and digital supply chains. More internet services mean complexity goes up, and “non-standard” becomes the norm. With your attack surface regularly in flux, keeping tabs on its composition as well as the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. However, deep insight across the public internet makes it not only possible but also manageable.

Contact us today to find out how RiskIQ can help you keep your organization’s digital footprint under control.