UK cybersecurity experts have warned that threat actors are increasingly targeting insecure self-hosted products at the corporate network perimeter.
The National Cyber Security Centre (NCSC) claimed in a blog post late last week that network defenders must up their game and adapt to the evolving threat.
“Attackers have realised that the majority of perimeter-exposed products aren’t ‘secure by design’, and so vulnerabilities can be found far more easily than in popular client software,” explained the agency’s technical director for platforms research, David C.
“Furthermore, these products typically don’t have decent logging (or can be easily forensically investigated), making perfect footholds in a network where every client device is likely to be running high-end detective capabilities.”
Read more on perimeter threats: Ivanti Zero-Days Exploited By Multiple Actors Globally
Increasingly, threat actors are finding zero-day vulnerabilities in these products, which could include file transfer applications, firewalls and VPNs.
“Finding zero-day / new vulnerabilities might sound highly advanced, but many of these are well-understood classes of web vulnerability and are trivial to find and exploit,” continued David C.
“Once a vulnerability is known, other attackers join resulting in mass exploitation.”
A joint advisory from the Five Eyes intelligence partnership last Thursday warned of widespread exploitation of several vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways in recent months.
In many ways, attacks have come full circle from what David C describes as “the early years of the internet,” when attackers found simple vulnerabilities in perimeter products and took advantage of poor passwords on login services.
“As more organisations went online, defenders got better at locking down their perimeters, conducting vulnerability scans, and patching systems. Attackers also realised that targeting user devices directly meant getting immediate access to the files and resources that a user had access to,” he explained.
“Consequently, many attackers stopped bothering with the perimeter, and instead moved to the rich oceans of client software and phishing emails.”
However, while this initially led to huge numbers of compromises, eventually the vendor community caught up by building defence-in-depth/secure-by- design into client software – such as sandboxes and memory-safe languages.
This has spurred a return to targeting of the perimeter, as well as phishing for access to credentials and cloud data, the NCSC said.
Four Steps to Better Perimeter Security
The agency’s advice to network defenders is therefore:
- Start demanding secure-by-design products from vendors
- If vendors can’t give these assurances, choose cloud-hosted versions
- If a self-hosted perimeter product is essential, reduce risk by turning off – or blocking at the firewall – any unnecessary interfaces, portals or services of internet-facing software
- Ensure any perimeter products developed in house are secure by design
“Sadly, the days where a fully patched perimeter meant you were safe from all but the most advanced attackers are long gone,” David C concluded.
“Anything on your perimeter, even fully patched, is increasingly in the firing line, and unless you have evidence that it can withstand attacks, you should consider removing it. We are entering the days where organisations need to start aiming for a perimeter scan with no ports found accessible.”