CVE-2023-1389, a vulnerability in TP-Link Archer AX21 router;CVE-2024-3400, a hole in Palo Alto Networks PAN-OS firewall operating system;CVE-2023-36845, a vulnerability in Juniper Networks Junos OS operating system;CVE-2021-44529, a vulnerability in Ivanti Endpoint Manager Cloud Service Appliance;CVE-2023-38035, a hole in Ivanti Sentry security gateway;CVE-2024-36401, a vulnerability in OSGeo GeoServer;CVE-2024-0012, a vulnerability in Palo Alto Neworks PAN-OS operating system. Many threat actors are still profiting from breaking into networks through old and unpatched holes, the report added. It said that four of the top 12 common vulnerabilities (CVEs) attackers used in attacks were published a decade ago.They include:
four Log4j2 vulnerabilities disclosed early in 2021 which accounted for 36% of the top targeted vulnerabilities;four vulnerabilities in the GNU Bash language disclosed in 2014 which accounted for 31% of the top targeted vulnerabilities. Bash is a common command-line shell used in many Linux/UNIX systems and older MacOS versions. This group of vulnerabilities are collectively called ShellShock;two vulnerabilities in the PHP language one of which was disclosed in 2017, the other last year which accounted for 17% of the top targeted holes.These are, however, the vulnerabilities most used in attempts, and not a measure of which were successful, the report stressed.Still, the report authors said, the numbers are “a stark reminder that threat actors frequently target unpatched systems, and failure to apply security updates leaves organizations vulnerable to many attacks that could otherwise be prevented.”That conclusion matches very much what the SANS Institute is seeing from its Internet Storm Center sensors, said Johannes Ullrich, the institute’s dean of research. “Currently the number one vulnerability we see exploited is just about two years old to the day (CVE-2023-26801, a vulnerability in LB-Link wireless routers) followed by CVE-2022-30023, an authenticated command injection on Tenda HG9 routers.””I think the issue is most obvious when looking at how consistent the passwords are that attackers are attempting to brute force,” Ullrich added.”This [vulnerabilities] list has not changed much in probably 20 years. The reason for it is simple: People have a hard time to patch. In particular home devices and routers are usually only patched by a power surge forcing the user to replace them,” he said.
Risk from Log4j holes may last a decade: Apache’s Log4j logging library is one of the most widely used open-source programs in the world, the report notes. “While the four vulnerabilities, collectively known as “Log4Shell,” were patched shortly after discovery, they will likely pose a long-term risk for organizations because Log4j is so deeply embedded in the software supply chain.”The US Department of Homeland Security, the report stressed, estimates it will take at least a decade to find and fix every vulnerable instance.The special concern about PHP is because between 75% and 80% of the world’s two billion websites rely on the language, including popular sites like Facebook and Wikipedia and e-commerce platforms like Etsy and Shopify, the report says.The Shellshock vulnerability is a concern because Bash is integrated deeply into applications and system processes globally, says the report. It also points out that many web servers, routers and internet-of-things (IoT) devices rely on Bash to execute commands, meaning that vulnerable devices connected to the internet are potential targets.”These hardware components are often less frequently updated or harder to patch, especially in industrial or critical infrastructure settings,” the report noted.Shellshock’s direct consequences may not have been as catastrophic as other high-profile breaches and cyber attacks, the report authors admit, but it is a persistent problem. For example, in 2019, Talos discovered a global state-sponsored espionage campaign called “Sea Turtle” that manipulated DNS records to gain access to sensitive systems. The adversary relied on several vulnerabilities, including Shellshock, to gain initial access.”While other confirmed public examples of state-sponsored cyber actors targeting Shellshock are limited, it’s very likely that other advanced actors have attempted to exploit Shellshock.” says the report. Many well-known adversaries like the Russian state-sponsored group APT28 and North Korean state-sponsored Lazarus Group exploit critical vulnerabilities in widely used software, making Shellshock a likely tool in their broader espionage and attack campaigns, say the authors.
Mitigating the threats: In the report, Talos offered its top 10 tips for securing network devices. It recommends:
Update devices “as aggressively as possible”, including patching current hardware and software against known vulnerabilities and replacing EOL hardware and software.Implement robust authentication methods, using multifactor authentication, complex passwords and community strings, and avoiding default credentials.Adhere to security best practices, including conducting regular updates, managing access controls, implementing user education, and enforcing network segmentation.Encrypt all monitoring and configuration traffic.Stay informed and up-to-date on security advisories from government and industry, and take suggested steps to mitigate the flaws they reveal.Lock down and actively monitor credential systems, such as TACACS+ and any jump hosts.Store configurations centrally and push to devices rather than allowing devices to be the trusted source for their own configurations.Use authentication, authorization, and accounting (AAA) to deny configuration changes for key device protections, such as local accounts, TACACS+, and RADIUS.Monitor your environment for unusual changes in behavior or configuration such as exposure of administrative or unusual interfaces, and monitor logs for unusual activities.Profile device baselines to identify any changes, and fingerprint network devices via NetFlow and port scanning for shifts, including changes in ports opening or closing and in inbound and outbound traffic.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3951165/volume-of-attacks-on-network-devices-shows-need-to-replace-end-of-life-devices-quickly.html
