Introducing new Vectra AI Platform coverage for Copilot and Microsoft Azure

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Zero Day

Zero-Day Attacks on Network Edge Devices: Why NDR Matters

November 28, 2024
Lucie Cardiet
Product Marketing Manager
Zero-Day Attacks on Network Edge Devices: Why NDR Matters

Zero-day vulnerabilities in network edge devices are rapidly becoming one of the most exploited means of entry into organizational networks. A recent advisory by the cybersecurity agencies of the Five Eyes alliance (U.S., U.K., Australia, Canada, and New Zealand) highlights this alarming trend, marking a shift from previous years. For the first time, the majority of the top 15 most exploited vulnerabilities were initially exploited as zero-days, including critical flaws in Citrix NetScaler, Fortinet VPNs, and Cisco routers. Reports revealed that adversaries, including suspected nation-state actors, used these vulnerabilities to compromise thousands of devices, gaining persistent access and planting webshells for long-term control.

This surge underscores a concerning "new normal," where attackers prioritize exploiting newly disclosed zero-day vulnerabilities to infiltrate networks.

Implementing Network Detection and Response (NDR) solutions is essential to detect post-compromise activities and mitigate the risks associated with these sophisticated attacks.

The escalating threat landscape

Attackers are increasingly focusing on network edge devices as entry points into organizational networks. These devices are attractive targets because they often reside at the boundary between trusted and untrusted networks, and compromising them can grant attackers a foothold inside the network.

The following examples highlight the growing trend of zero-day exploits targeting these critical systems:

  • Palo Alto Zero-Days: allows for unauthenticated remote code execution, effectively giving attackers full control over the firewall without any prior authentication.
  • Ivanti (Pulse Secure) Breaches: Authentication bypass vulnerabilities allowed attackers to infiltrate networks undetected.
  • Citrix ADC Exploits: Remote code execution vulnerabilities led to significant breaches in enterprise environments.
  • SonicWall Zero-Days: Unpatched vulnerabilities were exploited to compromise secure remote access devices.
  • Fortinet Vulnerabilities: Critical zero-day flaws were exploited to gain control over Fortinet firewall systems, undermining network defenses.
  • F5 BIG-IP Vulnerability: Critical remote code execution vulnerability exploited to gain administrative control over the devices, leading to potential full network compromise.
Timeline of major vulnerabilities and disclosures in recent years.
Timeline of major vulnerabilities and disclosures in recent years.

These cases demonstrate that even trusted security devices can become liabilities. When attackers breach these systems, they can manipulate or disable security features, rendering traditional controls ineffective.

The limitations of compromised edge devices

Traditional security tools often cannot detect malicious activities originating from trusted devices like firewalls. Since these devices are considered secure by default, anomalous behaviors may go unnoticed. Once compromised, these devices can be used with impunity to pivot throughout the organization, becoming powerful tools for attackers to escalate their activities.

When a network edge device like a firewall is compromised, it undermines the very foundation of network security. Attackers can manipulate or disable security features, alter configurations, and access sensitive data stored within the device. For instance, after exploiting CVE-2024-3400, attackers were able to:

  • Dump firewall configurations: Gaining insights into network architecture, IP address ranges, and authentication mechanisms.
  • Harvest credentials: Firewalls and remote access services often hold privileged credentials to the Domain and other organizational services. These credentials can be extracted and used for privilege escalation, giving attackers deeper access into critical systems.
  • Disable logging and alerts: Preventing detection by suppressing security notifications.
If you want to learn more about the technicalities of the CVE-2024-3400 vulnerability, its impact on various PAN-OS versions,  the urgency behind the ongoing patching efforts, watch our Threat Briefing.

Post-compromise activities: what happens next

Once inside the network, attackers typically engage in several post-compromise activities:

1. Reconnaissance

Attackers map the internal network to identify valuable assets and critical systems. They analyze network architecture, identify Active Directory structures, and pinpoint servers or databases with high-value information.

Example: In the SolarWinds attack, attackers used reconnaissance to map out affected organizations' Active Directory environments, identifying privileged accounts and sensitive resources to target.

2. Credential harvesting

Attackers extract credentials to escalate privileges and gain deeper access to the network. This often involves capturing stored passwords, leveraging credential dumping tools, or stealing credentials from configurations of compromised systems.

Example: Midnight Blizzard, a sophisticated threat group, used phishing and malware to steal high-privilege credentials, granting them access to sensitive email systems and cloud environments.

3. Lateral movement

Attackers use protocols like SMB, RDP, and WinRM to move between systems, escalating their foothold within the organization. They exploit trust relationships and weak access controls to spread to high-value targets.

Example: During the WannaCry ransomware attack, attackers exploited the EternalBlue vulnerability in SMB to laterally propagate across networks, infecting numerous endpoints.

4. Data exfiltration

Attackers collect and transfer sensitive data out of the network, often encrypting it or sending it to external servers under their control. The stolen data can be used for extortion, sold on the dark web, or leveraged for further attacks.

Example: The Clop ransomware group exploited the MOVEit Transfer vulnerability to steal sensitive data from hundreds of organizations, later using it to extort victims with threats of public exposure.

5. Establishing persistence

Attackers create backdoors to maintain ongoing access to the compromised network, ensuring they can return even after remediation efforts. This persistence can include webshells, malware implants, or manipulated accounts.

Example: In 2023, threat actors exploited a zero-day vulnerability in Citrix NetScaler ADC appliances (CVE-2023-3519) to implant webshells. These webshells provided persistent access, enabling attackers to perform discovery on the victim's Active Directory and collect and exfiltrate data.

In the case of a firewall exploit, attackers leverage the compromised device to initiate connections to multiple internal systems, targeting domain controllers, backup data protection keys, and user workstations.

The imperative for Network Detection and Response (NDR)

Considering these sophisticated attacks, relying solely on traditional security measures is insufficient. Organizations need an independent and comprehensive means of detecting malicious activities that bypass or originate from compromised devices. This is where Network Detection and Response (NDR) becomes crucial.

Why NDR is essential

  • Independent Threat Detection: NDR operates separately from endpoint security and compromised devices, ensuring continuous visibility.
  • Behavioral analysis: By analyzing network traffic patterns, NDR can identify anomalies indicative of reconnaissance, lateral movement, and other malicious activities.
  • Rapid detection: NDR solutions like Vectra AI utilize advanced machine learning models to detect threats in real-time, minimizing the window of opportunity for attackers.
  • Comprehensive coverage: NDR monitors all network traffic, including east-west (internal) communications often exploited during lateral movement.

How Vectra AI detects post-compromise activities

The Vectra AI platform is specifically designed to identify, investigate and respond to threats that have evaded or originated from compromised security infrastructure. Vectra AI’s Attack Signal Intelligence is leveraging advanced artificial intelligence (AI) and machine learning (ML) to analyze network traffic in real-time and detect subtle signs of malicious behavior.

Our Attack Signal Intelligence detects:

  • Suspicious administrative behavior: Detects unusual use of administrative protocols like WinRM, SSH, and RDP. If a device such as a firewall suddenly initiates connections using these protocols to internal systems—a behavior not observed previously—Vectra AI flags it as suspicious.
  • Suspicious remote execution: Monitors for remote execution activities using tools like PowerShell Remoting and PsExec. Anomalies in the use of these tools from unexpected sources are indicative of lateral movement.
  • Privilege access analytics: Analyzes Kerberos authentication patterns to detect abnormal access to services and hosts. If a compromised device begins accessing services or hosts it has not interacted with before, especially those requiring high privileges, Vectra AI identifies this as a potential threat.

Case in point: detecting a firewall exploit

In the scenario where attackers exploit a firewall vulnerability:

  • Anomalous traffic detection: Vectra AI would detect the firewall initiating unusual connections to internal systems using administrative protocols.
  • Credential abuse identification: The use of harvested credentials to access critical services would trigger alerts based on deviations from normal authentication patterns.
  • AI-driven triage: Vectra AI   AI-driven triage automatically triages detected threats, reducing noise and highlighting the most critical incidents for immediate response, enabling faster and more effective investigation.
  • AI-driven prioritization: Vectra AI's prioritization ensures that these critical threats are brought to the immediate attention of security teams for swift action. View our infographic on how Hybrid Attackers Move Beyond the Endpoint.

Beyond detection: the importance of rapid response

Detection is only the first step. Rapid response is crucial to contain threats and minimize damage.

Vectra AI's response capabilities

  • Automated actions: Vectra AI can automatically disable compromised user accounts or isolate affected hosts, limiting the attacker's ability to move laterally.
  • Integration with security ecosystem: Seamlessly works with existing security tools, such as firewalls and endpoint protection platforms, to enforce security policies.
  • Actionable insights: Provides detailed context and recommendations to aid security teams in investigation and remediation efforts.

Zero-day attacks targeting network edge devices represent a significant and evolving threat. Once attackers compromise these devices, they can navigate within the network undetected, rendering traditional security measures ineffective. Sometimes proactive measures as not enough, so implementing an NDR solution like Vectra AI is essential for:

  • Detecting post-compromise activities: Identifying malicious behaviors that occur after the initial breach.
  • Maintaining security visibility: Ensuring continuous monitoring even when primary defenses are compromised.
  • Enabling rapid response: Facilitating swift action to contain and remediate threats. Stay ahead of threats beyond the edge. Request a demo today to discover how you can detect and respond to attacks—even when your primary defenses are compromised.

Stay ahead of threats beyond the edge. Request a demo today to discover how you can detect and respond to attacks—even when your primary defenses are compromised.

FAQs