Vulnerable Remote Access & Perimeter Devices: The Hidden ...
Transcript of Vulnerable Remote Access & Perimeter Devices: The Hidden ...
The recent scramble by organizations to patch a dangerous security flaw in F5 Networks’ BIG-IP product gave us a glimpse of the new reality facing the enterprise in the post-COVID world: network controls are coming up dangerously short.
Organizations lack visibility into the external network of internet-connected services and devices growing wildly outside their firewalls to support a workforce that will be remote for the foreseeable future. However, these IP-connected assets aren’t in the purview of most security controls. In fact, most organizations don’t have any security controls for the new IT needed to enable remote employees—remote access devices, VPNs, and perimeter network devices, to name a few.
Over the past three months, the headlines have been full of dozens of new vulnerabilities found in these devices coming to light, including Cisco, Microsoft, Citrix, and IBM products. Each of these vulnerabilities can take down an organization whether its security team knows it’s part of its attack surface or not. Threat actors are taking note, realizing these security flaws, invisible to security teams, are inroads for an attack. For organizations, keeping track of these new assets and their vulnerabilities takes a new type of technology that looks at an organization’s digital presence from the outside-in.
Below, we’ve used our global internet telemetry to map this quickly evolving external attack surface to demonstrate how businesses now look to threat actors online, and what they need to keep track of beyond the firewall.
Threat Landscape
2020 has seen a steady clip of vulnerabilities of remote access and perimeter devices announced. Already, in the first half of this year, 18X high-to-critical vulnerabilities in these systems have been reported:
March 2020
CVE-2020-10189: Zoho Desktop Central Remote
Code Execution Zero-day Vulnerability
CVE-2020-0796: Microsoft SMB Remote Code
Execution Vulnerability
April 2020
CVE-2020-2883 Oracle WebLogic Remote Code
Execution Vulnerability
Vulnerable Remote Access & Perimeter Devices: The Hidden Attack Surface That’s Growing Out of Control
This above list does not include the legacy vulnerabilities from 2019 listed below, which intelligence shows threat actors are also actively exploiting:
• CVE-2019-1579: PAN-OS Remote Code Execution Vulnerability
• CVE-2019-19781: Citrix NetScaler ADC Arbitrary Code Execution Vulnerability
• CVE-2019-0604: Microsoft SharePoint Remote Code Execution Vulnerability
• CVE-2019-10149: Exim Internet Mailer Remote Code Execution Vulnerability
• CVE-2019-15846 Exim Internet Mailer Remote Code Execution Vulnerability
• CVE-2019-16928 Exim Internet Mailer Heap-based Overflow Vulnerability
May 2020
CVE-2020-3280 - Cisco Unified Contact Center
Express Remote Code Execution Vulnerability
2020-05-07 High-Severity Flaws Within Cisco
ASA and Firepower Products Disclosed
CVE-2020-9314 & CVE-2020-9315: Oracle iPlanet
Web Server (v7.0) Sensitive Data Exposure and
Image Injection
2020-05-11 Multiple Vulnerabilities Reported in
Citrix ShareFileJune 2020
CVE-2020-4450, CVE-2020-4448 - Remote
Code Execution Within IBM WebSphere
Application Server July 2020
CVE-2020-2021: PAN-OS Authentication Bypass
in SAML
2020-7-10 Citrix Application Delivery Controller,
Citrix Gateway, and Citrix SD-WAN WANOP
Multiple Vulnerabilities
CVE-2020-5902: Remote Code Execution
Vulnerability in F5 Big-IP Network Devices
CVE-2020-6287 SAP NetWeaver AS Java LM
Configuration Wizard Critical Vulnerability
RiskIQ Global Observations
Using RiskIQ’s Internet Intelligence Graph, we are able to understand the impact these vulnerabilities may have on organizations. Pulling total observations from June 1, 2020 to the present, we see:
61,869Palo Alto Global Protect
967,437BIG-IP
7,496IBM WebSphere
Application Server
14,563Oracle WebLogic
42,826Microsoft Remote Desktop Gateway
86,773Citrix NetScaler Gateway
7,970Citrix ADC
1,982Cisco ASA & Firepower
2,848Oracle iPlanet Web
Server 7.0
2,629SAP NetWeaver
1,988Zoho Desktop Central
2,766Citrix ShareFile
Advanced Actors Leveraging these Vulnerabilities
Both the US and Australian governments have advised companies to address these critical vulnerabilities, with US Cyber Command recommending that organizations patch both the F5 and PAN-OS vulnerabilities immediately.
Additionally, security firms FireEye and ClearSky Security released reports this year highlighting state-sponsored actors’ use of the above vulnerabilities to gain footholds in target victims’ networks. FireEye outlined activity by APT 41, where the group has leveraged Citrix and Cisco vulnerabilities in recent attack campaigns. ClearSky Security described an operation by the Iranian group Fox Kitten, where actors target vulnerable VPN systems in their campaigns specifically.
Finally, both the United States National Security Agency (NSA) and Australian Signals Directorate (ASD) have warned of state-sponsored actors that leverage a broad swath of vulnerabilities to deploy web shell malware on vulnerable devices. By doing so, they gain a valuable foothold into target organizations.
Situational Awareness into your Attack Surface is Critical
RiskIQ Digital Footprint provides organizations with the ability to quickly gain situational awareness into their attack surface across this rapidly evolving vulnerability and threat landscape. Our breadth and depth of data collection continue to grow as we rapidly deploy detections for new devices and software components. This internet-wide visibility enables our customers to answer questions and effectively understand risk across their attack surface.
For Digital Footprint customers, the above visuals should look familiar. These reports and dashboards are included with your subscription. Beyond the pre-baked visuals, you can also build out custom panels of your own or extend the existing widgets.
© 2020 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners.
RiskIQ is the leader in attack surface management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by thousands of security analysts, security teams and CISO’s, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk and take action to protect the business, brand, and customers. Try RiskIQ Community Edition for free by visiting https://www.riskiq.com/community/. To learn more about RiskIQ, visit www.riskiq.com.
Learn how RiskIQ could help protect your digital presence by scheduling a demo today.
22 Battery Street, 10th Floor San Francisco, CA. 94011
[email protected] RiskIQ.com
1 888.415.4447 @RiskIQ
If potentially vulnerable devices are identified within your footprint, you can click the dashboard widgets to run a query against your inventory. Doing so reveals the exact assets that match the query.
Viewing the details of an asset helps identify what else is connected to it and whether it has clear ownership within the organization. From this view, vulnerabilities can easily be dismissed if they are not applicable, though RiskIQ will automatically adjust these values as our continuous monitoring engine detects a change.
A modern organization’s digital presence is a mosaic of internet-connected hardware, software, and digital supply chains. More internet services mean complexity goes up, and “non-standard” becomes the norm. With your attack surface regularly in flux, keeping tabs on its composition as well as the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. However, deep insight across the public internet makes it not only possible but also manageable.
Contact us today to find out how RiskIQ can help you keep your organization’s digital footprint under control.