Zero days weaponized on edge devices and servers: rethink your risks
Last month saw several zero-day vulnerabilities disclosed or discovered only after being actively exploited in the wild for weeks.
Although that is not new, these vulnerabilities affect network devices or applications widely deployed in enterprise environments, the exploits typically requiring no authentication, no user interaction and only access to publicly reachable network ports.
Threat actors are particularly focused on networking devices or application servers which are considered "edge devices," meaning they are exposed to the internet via published ports (for ex. port 443). If an attacker is successful in exploiting a vulnerability on these systems, they can gain initial access without human interaction, which reduces the chances of detection.
Two such examples from July include:
CVE-2023-3519: a Remote Code Execution (RCE) vulnerability in Citrix NetScaler ADC products. Usually deployed as public facing reverse proxies, ADCs (Application Delivery Controllers) are a key component of enterprise and cloud data centers, ensuring availability, security, and performance of applications. Although there is no public PoC for this vulnerability at present, it appears threat actors discovered and weaponized it to deploy remote web shells across several organization back in June. It's important to note only customer managed ADC servers are affected, while vulnerabilities on Citrix-managed servers have already been mitigated.
CVE-2023-35078: a vulnerability in Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core, allowing attackers to obtain PII, add administrative accounts, and change the configuration because of an authentication bypass in its API. EPMM is an MDM solution deployed and managed by customers as a virtual appliance. Crucially, the appliance is exposed to the internet to allow mobile devices telemetry and management. The first known attacks occurred in early July against some government agencies in Norway. At that time, it appears Ivanti wasn't aware of the vulnerability in its software. Since there are now thousands of vulnerable servers scattered worldwide, including Europe, it's highly likely that other organizations will or already have fallen victim. Importantly, since the discovery of this vulnerability, another critical one (CVE-2023-35081) has also been reported within the same application, allowing an authenticated administrator to write files to the compromised server, which could include web shells providing further access (making it an ideal attack chain).
Besides targeting "edge" public facing appliances and applications, attackers are also focusing on popular applications used by employees. Finding zero-day vulnerabilities there is of particular interest, when the application is used by millions of users.
That is the case for both Apple and Microsoft applications, where several vulnerabilities got into the Known Exploited Vulnerability Catalog during July:
Apple devices (such as iPhone) are still being urgently patched for vulnerabilities in connection with Operation Triangulation, a sophisticated mobile cyber espionage campaign targeting iOS devices. Although the most critical vulnerabilities in the attack chain were already patched in June, Apple is still scrambling to patch against other ones connected to the same threat campaign, notably CVE-2023-38606.
Microsoft Office applications are among the most popular business apps on the planet, so no wonder July saw fixes for several vulnerabilities already exploited by threat actors within Word and Outlook, trying to enhance deployment of malicious attachments (CVE-2023-36884 and CVE-2023-35311).
Several lessons learned (beyond the trivial "patch your stuff" advice):
Edge devices such as ADCs, firewalls, VPN gateways, or public facing management applications (such as MDMs) will be increasingly targeted and searched for zero-days. If possible, these should be monitored with EDR and other inspection technology, as exploitation might occur before patches are disclosed or available (although we all know such devices rarely support EDR technology).
Organizations should prefer to consume publicly exposed services as SaaS managed by the vendor (i.e. SASE architecture): repeatedly, it turns out SaaS offerings get better attention from vendors, as they are on the hook for patching and their service revenue and application availability is directly threatened. Typically, vendors will notice early attempts at exploitation much sooner than on-prem customers, and are able to react much faster with patches. Contrast that with slow patching reactions for edge devices in the region such as Fortinet, or the catastrophic reaction patching Exchange servers at Rackspace vs Microsoft 365 managed Exchange (SaaS).
Client applications (such as Microsoft and Apple) should be automatically patched and also consumed ideally as SaaS. For ex. updating Office when part of MS365 SaaS is more straightforward and the deployment of security patches easier, reducing the chance of skipping some updates, as is the case with traditionally licensed Office packages.