Edge devices and services, together with network infrastructure devices, are often the start point for the growing incidence of mass exploitation attacks.
The growth of mass exploitation compromises and increased criminal targeting of edge and infrastructure devices is well observed. The two often go together. Mandiant’s M-Trends 2024 report comments on nation state actors from both Russia and China, and criminal groups such as FIN11, all using edge devices, often compromised through zero-day vulnerabilities, in their activities.
Forescout’s Riskiest Devices 2024 report comments that the riskiest devices in 2023 were endpoints, but are now network infrastructure devices. Infrastructure devices and edge devices are often synonymous with one overriding characteristic: they have an internet face.
Now WithSecure research (PDF) quantifies this process and explains the criminal attraction. The research analyzes the three primary vulnerability severity sources: the CVE’s CVSS score, its EPSS rating, and the CVE inclusion within CISA’s KEV list.
It finds an upward trend in edge CVEs added to the KEV list, contrasting with a dramatic downward trend in non-edge CVEs being added in 2024. More specifically, edge-related additions have increased from 2 per month in 2022 to 4.75 in 2024; while non-edge entries have decreased from 5.36 in 2023 to 3 in 2024.
The CVSS rating for edge-related CVEs is continuously high. The median score for edge CVEs is 9.8, while that for non-edge CVEs is 8.8.
EPSS percentiles provide a similar picture. Taking 97.5% as a breakpoint, more than 67% of edge related CVEs have EPSS ratings above this point, while only 35% of non-edge CVEs are similar.
In reality, CVEs, and their CVSS and EPSS scores alone are not reliable sources of truth given the problems that the NVD database has suffered in 2024. However, that these figures reflect the factual reporting from the KEV list is telling. When we add the known and continuous growth in vulnerabilities, together with Mandiant’s observation that edge-related mass exploitation often starts with a zero-day exploit, it appears that such events are likely to continue if not increase and will be difficult to predict and prevent.
ADVERTISEMENT. SCROLL TO CONTINUE READING.
The WithSecure research also delves into the criminal attraction toward edge-related mass exploitation. The primary driver is simple and obvious: mass exploitation involves multiple victims from a single exploit methodology across multiple targets, or multiple victims from a single compromise. Put simply, more bang for your buck.
The attraction to edge devices comes from easier entry (because, by definition, they have an internet face and can be attacked remotely); and they provide easier and greater stealth once compromised (because they are usually a black box by design).
Since they often provide a continuous service, they are rarely switched off. Vendors design them for continuity, so purposely make them difficult or impossible for administrator control beyond predefined options. Indeed, any such individual activity can void warranties. They frequently do not produce logs of their activity that can be analyzed by SIEMs, and they cannot be monitored by standard security controls.
In this sense they are similar to the OT demand for continuity — why fix something that ain’t broke? Until it is broke, by which time it is probably too late. The result is that edge devices and services often comprise software components that can be decades old involving operating systems that are well beyond end of life; and they are effectively cybersecurity’s forgotten man. Once inside, an attacker is hidden and can plan and execute the attack over time and out of sight.
“Edge services are often internet accessible, unmonitored, and provide a rapid route to privileged local or network credentials on a server with broad access to the internal network,” says the report.
The initial access is further supported by the increasing professionalization and separation of roles within the criminal underworld – in this case through initial access brokers (IABs). The research describes this as the industrialization of access – brokers scan the internet for devices with known vulnerabilities, obtain access, and then sell that access to other actors to exploit.
The inevitable conclusion from the WithSecure research is that the observed increase in mass exploitation involving edge services and devices is supported by vulnerability statistics and the increasing professionalization of the bad actor underworld – and is likely to worsen. The process is attractive to both financially motivated criminal gangs and more sophisticated nation state actors who most likely do not need to involve IABs. They can find their own zero-day vulnerabilities to attack specific targets.
“The KEV list research shows that actual exploitation of infrastructure and edge services is increasing while exploitation of non-edge services is decreasing,” Stephen Robinson, senior threat intelligence analyst at WithSecure, told SecurityWeek. “I didn’t expect that; it’s strange to see that non-edge exploitations are decreasing. This means that anyone who is managing firewalls, edge services, switches, routers, or whatever, does indeed need to be a bit more paranoid about them,” he added.
“These attacks are increasing because vulnerabilities are being found more rapidly and are becoming more severe. Attackers are looking for the best and easiest way to compromise victims, and currently edge services exploitation is a definite growth market. And if it is a growth market for attackers, it needs to be a growth market for defenders.”