Surge in network edge device exploitation: Of the 33 zero-day vulnerabilities in enterprise-specific products, 20 targeted hardware appliances typically located at the network edge, such as VPNs, security gateways, and firewalls. Notable targets last year included Ivanti Cloud Services Appliance, Palo Alto Networks’ PAN-OS, Cisco Adaptive Security Appliance, and Ivanti Connect Secure VPN.Targeted attacks against these network edge devices were one of a several key zero-day exploitation trends for 2024.In fact, with a total of seven zero-days exploited in its products last year, Ivanti became the third most targeted vendor, after Microsoft and Google and ahead of Apple, which held the third spot in previous years.There are several reasons why these products are attractive targets, aside from direct access from the internet in many cases. First, they are designed to connect various devices and users with high privileges. As such, they provide a great opportunity to perform lateral movement inside a network.Secondly, these appliances run embedded operating systems so security teams can’t deploy their usual endpoint detection and response tools on them. This lack of visibility means that a compromise of such a device can go undiscovered for a long time.Finally, according to GTIG, achieving remote code execution or privilege escalation on these devices is generally easier and doesn’t require complex exploit chains. As a result, attacks get more value from individual vulnerabilities, with less effort involved to develop working exploits.The rise in network perimeter device exploitation was also observed by Google’s Mandiant division, which specializes in incident response investigations. In its own annual report, Mandiant noted that vulnerability exploits remained the top initial access method in 2024 and vulnerabilities in security and networking appliances were at the top of the list of exploited flaws.
Goals and motivations behind zero-day exploitation: Cyberespionage groups were responsible for the largest number of zero-days last year (17), with Chinese groups responsible for five, North Korea for five, Russia for one, and South Korea for one. North Korea is a special case because its APT groups engage in both cyberespionage and financially motivated crimes to fund the regime. Another two zero-day flaws were attributed to Russian groups that are not state affiliated but also engage in both financial crimes and cyberespionage.Three zero days were used in cyberespionage attacks that did not tip sufficient information about the location of the attackers. CSVs were responsible for eight zero days, followed by non-state-backed financially motivated groups with five.”We attributed the exploitation of 34 zero-day vulnerabilities in 2024, just under half of the total 75 we identified in 2024,” the GTIG researchers wrote. “While the proportion of exploitation that we could attribute to a threat actor dipped slightly from our analysis of zero-days in 2023, it is still significantly higher than the ~30% we attributed in 2022.”As far as the types of flaws goes, the most common source for vulnerabilities were use-after-free memory issues (8), followed by OS command injection (8), and cross-site scripting (XSS) issues (6). Command and code injections weaknesses were almost exclusively encountered on network and security appliances and software. Remote code execution and privilege escalation were the most common impacts of the zero-day flaws identified in 2024.”Defending against zero-day exploitation continues to be a race of strategy and prioritization,” the GTIG team said. “Not only are zero-day vulnerabilities becoming easier to procure, but attackers finding use in new types of technology may strain less experienced vendors. While organizations have historically been left to prioritize patching processes based on personal or organizational threats and attack surfaces, broader trends can inform a more specific approach alongside lessons learned from major vendors’ mitigation efforts.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3973769/enterprise-specific-zero-day-exploits-on-the-rise-google-warns.html
