Edge device vulnerabilities fueled attack sprees in 2024
Edge devices harboring zero-day and n-day vulnerabilities were linked to the most consequential attack campaigns last year, Darktrace said in an annual threat report released Wednesday.
Darktrace’s threat researchers found the most frequent vulnerability exploits in customers’ instances of Ivanti Connect Secure and Ivanti Policy Secure appliances, along with firewall products from Fortinet and Palo Alto Networks.
Cybersecurity vendors shipped products that ultimately accounted for and became the initial access vector for the majority of the most significant attack campaigns last year, the report shows.
Vendors that supply security hardware and services were responsible for four of the six mostly commonly exploited vulnerabilities observed by Darktrace: a pair of vulnerabilities affecting Ivanti products (CVE-2023-46805 and CVE-2024-21887); a trio impacting Palo Alto Networks firewalls running PAN-OS (CVE-2024-3400, CVE-2024-0012 and CVE-2024-9474); and a vulnerability affecting Fortinet’s network management tool FortiManager (CVE-2024-47575).
“These devices sit on the edge of your network, and that’s your last sight of visibility and therefore the door to your house,” Nathaniel Jones, VP of threat research at Darktrace, told CyberScoop.
“If they can get through cybersecurity companies then they’re bypassing the exact detection that companies have provided customers,” Jones said. “You’re kind of getting underneath the specific thing that’s supposed to be detecting you, and getting access that way.”
Threat groups are increasingly investing more resources to study and reverse engineer network edge devices that are widespread. This shows up in Darktrace’s research, which complements the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, particularly as it relates to repeat offenders — vendors that commonly appear on the agency’s continuously updated resource of vulnerabilities that threat groups have exploited in the wild.
Nation-state threat groups are most likely responsible for zero-day attacks on network edge devices because they have the resources, but these vulnerabilities have a long shelf life and are routinely targeted by financially motivated threat groups as proof of concepts emerge, Jones said.
“Your time to do patch management and get that closed off is just decreased, so it makes it challenging to manage those CVEs in these specific devices in a very quick timeframe,” Jones said. “If you’re not on it, or you’re very underresourced and you have other things going on to support the business, then this can be a problem.”
Threat actors also target edge devices because they provide greater capabilities to use living-off-the-land techniques and grab a compromised credential or create another credential to gain persistent access and achieve lateral movement across networks.
Forty percent of the malicious activity observed by Darktrace researchers in the first half of last year involved the exploitation of internet-facing devices. Information-stealing malware surged and became the most prominent activity observed by Darktrace in the second half of 2024.
Darktrace’s annual threat intelligence report on active threats in 2024 is based on research it gathered across its fleet of nearly 10,000 customer deployments.
