Threat actors bypassing shoddy patching, targeting network gateways

Cyber Security News

Pictured: Rapid7 headquarters in Boston.

A new report from Rapid7 examining the 2020 vulnerability landscape finds that criminal and nation-state hackers are increasingly relying on attacks that target gateways to corporate networks and finding alternative ways to exploit patched flaws.

The report found that the volume of published vulnerabilities has increased “significantly” over the past five years, with 18,362 reported in 2020 alone. It also examined dozens of critical or high-impact vulnerabilities discovered throughout the past year, some of which have been turned into well-known exploits and others that are sitting quietly in the background, waiting to be weaponized for widespread use by the right hacking group or ransomware operator.

Among the findings are nine vulnerabilities that operate as “network pivots,” where attackers targeted VPNs, firewalls and other internet-facing technologies to gain initial access. Often, these flaws were paired with other exploits to escalate privileges or execute code that allowed the attackers to roam through victim networks and cause further carnage.

These pivots remain “extremely valuable to both state-sponsored and low-skilled attackers” as well as legitimate security research and penetration testing activities, the report noted. Over a one-month period between June and July 2020, four different vulnerabilities with a CVSS severity score of 10 out of 10 were disclosed in commonly-used products from F5 Networks, Palo Alto Networks and others.

Targeting gateway and perimeter-based technologies like VPNs and firewalls has become big business for ransomware groups and criminal brokers who specialize in the gaining and selling of initial access to victim networks. Nation-states have also focused on them, spurring the National Security Agency to issue a rare public advisory last year noting that multiple APT groups were weaponizing VPN vulnerabilities to gain broader network access.

Growing adoption of cloud and “Zero Trust” technologies and processes, as well as the more recent decentralization workforces to home offices following the coronavirus pandemic, has substantially eroded the concept of a network perimeter that underpinned many of these tools. Meanwhile, venture capital firms are increasingly investing in startups that offer security-minded alternatives to VPNs and other technologies.

Despite that movement, Caitlin Condon, manager of software engineering at Rapid7 and primary author of the report, told SC Media that the status quo is likely to endure for some time.

“I don’t think any of those technologies are going away. There’s still a need for them,” said Condon. “Whether the industry is going to evolve to deploy them in different ways so they have less of a public-facing attack surface area, that’s an open question.”

Zombie vulns continue to rise from the grave

The most direct route to closing off many software security vulnerabilities is often through an update. However, some attackers are getting better at finding ways to continue exploiting weaknesses long after they’ve been patched.

Some patches fix a vulnerability only at the superficial level, rather than addressing the root cause. This dynamic has led to a banner year for bypass vulnerabilities, where threat actors revisit a patched CVE and discover new ways to exploit the same fundamental weakness with a few minor changes to the underlying code or kill chain.

The reasons why these patches are incomplete can vary, from the complexity of the initial vulnerability and how it might impact the core architecture of host system, to the way some organizations prioritize speed over thoroughness when it comes to issuing patches for a newly discovered flaw. Other contributing factors can include a dearth of cybersecurity professionals, a lack of security input during the software development process, and oversights due to sheer exhaustion from companies facing an unprecedented threat landscape in the digital space.

The end result is that even simple advice like “patch your systems and devices” can become exponentially more complex and fraught, leaving the door open for malicious hackers to double or triple-dip on the same vulnerability if they can find alternate pathways.

“Security is really hard. That’s true everywhere and I have enormous empathy for a lot of security teams who might have been apprised of a vulnerability that is already under attack by the time they know about it,” said Condon. “I think the speed of getting a fix out and letting their customers know that there is a critical [vulnerability] that needs addressing is probably [one] reason behind that.”

Of the nine bypass vulnerabilities tracked by Rapid7 in 2020, two are classified as a threat for widespread exploitation across different industries, while another six are classified as “impending threats” that could become more widespread in the near future.

They’re not the only zombie vulnerabilities threatening to rise from the grave to torment victims. Rapid7 flagged another 14 critical and widespread weaknesses that have already been patched but “are likely to stalk unpatched systems well into 2021.” They include the infamous Zerologon bug, a remote code execution vulnerability in F5’s BIG-IP TMUI configuration and an authentication flaw in SAP’s Netweaver application servers.