Over the past several months, the enterprise attack surface has changed radically, and many security teams are struggling to catch up. The recent scramble to patch a dangerous security flaw in F5 Networks' BIG-IP product marked the beginning of a new reality facing the enterprise in the post-COVID world: network controls are coming up dangerously short.
Organizations are lacking visibility into the external network of internet-connected services and devices growing wildly outside their firewalls to support a workforce that will be remote for the foreseeable future. However, these IP-connected assets aren't in the purview of most security controls. In fact, most organizations don't have any security controls for the new IT needed to enable remote employees, such as remote access devices, VPNs, and perimeter network devices.
The F5 hack wasn't the first critical vulnerability to come to light since widespread remote work began, and it's certainly won't be the last. Recent headlines have been full of dozens of new vulnerabilities found in these devices, including Cisco, Microsoft, Citrix, and IBM products. Each of these vulnerabilities can take down an organization, whether or not its security team knows it's part of its attack surface.
Realizing they're invisible to many security teams, threat actors note these security flaws and use them as inroads for attacks. Both the US and Australian governments have advised companies to immediately address the recent spike in critical vulnerabilities, with US Cyber Command recommending that organizations patch both the F5 and PAN-OS vulnerabilities.
Additionally, security firms FireEye and ClearSky Security released reports this year highlighting state-sponsored actors' use of the above vulnerabilities to gain footholds in target victims' networks. FireEye outlined activity by APT 41, where the group has leveraged Citrix and Cisco vulnerabilities in recent attack campaigns. ClearSky Security described an operation by the Iranian group Fox Kitten, where actors target vulnerable VPN systems in their campaigns specifically.
Both the United States National Security Agency (NSA) and Australian Signals Directorate (ASD) have warned state-sponsored actors that leverage a broad swath of vulnerabilities to deploy web shell malware on vulnerable devices. By doing so, they gain a valuable foothold into target organizations.
With your attack surface regularly in flux, keeping tabs on its composition—and the infrastructure of attackers targeting it—is one of the most challenging jobs facing security teams today. Keeping track of these new assets and vulnerabilities takes a new type of technology that looks at an organization's digital presence from the outside-in.
RiskIQ used the global telemetry in our Internet Intelligence Graph to map this quickly evolving external attack surface to demonstrate how businesses now look to threat actors online, and what they need to keep track of beyond the firewall. Our vulnerability Landscape report offers a high-level view of critical vulnerabilities in 19 widely used remote access and perimeter devices. The findings show that the rapidly increasing adoption of these devices amid the COVID-19 pandemic introduces a range of critical, rapidly proliferating vulnerabilities—of which threat actors are already taking advantage to attack organizations.
Download the report to find the total number of vulnerabilities in online devices across the internet, including:
- Palo Alto Global Protect
- F5 Big-IP
- IBM WebSphere Application Server
- Oracle WebLogic
- Microsoft Remote Desktop Gateway
- Citrix NetScaler Gateway
- Cisco ASA & Firepower
- Oracle iPlanet Web Server 7.0