From ransomware groups to state-sponsored actors, multiple cyber threat actor types are exploiting vulnerabilities on edge devices, remote services, and other components that are exposed at the network edge (that shouldn’t be). It’s not just known vulnerabilities that are being exploited on devices that asset owners leave unpatched. Well-resourced and capable threat actors are increasingly developing complex zero-day exploits, making it particularly important to have a plan to protect these devices before those that are able can be patched.

Edge devices should be considered among the critical assets of any organization and the security of such devices should be one of the highest priorities. Most often that security is straightforward to include updating software regularly by employing patch management for these externally exposed devices, services, or applications. Unfortunately, edge devices are not always kept updated, thus opening the door to threat actors for exploitation of known vulnerabilities.

Furthermore, adding insult to injury, as with recent Ivanti Pulse Connect Secure (CVE-2023-46805, CVE-2024-21887), Palo Alto Networks PAN-OS (CVE-2024-3400), and Barracuda Networks (CVE-2023-2868) vulnerabilities, there has been evidence of incomplete patches and workarounds which have allowed for bypassed mitigations that have the potential to survive reboots and firmware upgrades.

Additional key points:

• Vulnerabilities in edge devices (e.g., firewalls, routers, switches, VPNs, load balancers, remote services, etc.) are often exploited to gain initial access.
• It’s critical to assess external-facing assets to detect devices, services, and applications that should not be directly accessible from the internet (such as PLCs).
• CISA’s Known Exploited Vulnerabilities (KEV) Catalog is a great resource for maintaining awareness of active exploitation of edge devices.
• According to Rapid7, approximately 19% of the CISA KEV consists of vulnerabilities in network edge devices or security gateways, about half of which were disclosed (and exploited) since 2020 onward.
• While it’s prudent to patch all known vulnerabilities, it is especially important to address known exploited vulnerabilities on the most exposed devices.

Some of the more widely used products/platforms with recent high-profile vulnerabilities which many utilities likely use:

• Check Point VPN
• Palo Alto Networks PAN-OS
• Ivanti Connect Secure and Policy Secure (formerly Pulse Connect Secure)
• Cisco ASA
• Fortinet FortiOS SSL VPN

Analyst comment (Jennifer Lyn Walker): There have been a lot of articles lately discussing the current trend of threat actors exploiting vulnerable edge devices - many vulnerabilities of which WaterISAC regularly shares and amplifies for member awareness. As always, members are encouraged to “update” (patch as able), “compensate” (apply compensating controls when patching isn’t practical – or possible), “isolate” (consider isolating devices that cannot be patched or protected through compensating controls). But ignoring vulnerabilities is not an option. So, patch ‘em if ‘ya got ‘em and haven’t addressed ‘em yet!

Recent articles on edge device exploitation

• Edge Devices: The New Frontier for Mass Exploitation Attacks | SecurityWeek
• 2024 Attack Intelligence Report | Rapid7
• WithSecure Reveals Mass Exploitation of Edge Software and Infrastructure Appliances | Infosecurity Magazine