Cybersecurity Threat Advisory 0044-21: Botnets Version Hunting Perimeter Devices

Threat Update

Threat actors have been seen in the wild scanning for perimeter devices which are running vulnerable firmware and have not been updated to allow for vulnerabilities to be patched. Perimeter devices (such as firewalls, intrusion detection/prevention systems, and more) are an important layer of security for any network. If attackers can gain access and potentially exploit vulnerable perimeter devices, they can end up doing significant damage to a network. Devices from Sonicwall, DLink, Cisco, among others, have been targeted by these scans. SKOUT recommends ensuring all devices are updated regularly to allow for security patches to be applied.

Technical Detail & Additional Information

WHAT IS THE THREAT?

There have been instances observed where devices are being scanned to search for devices running versions which have previously been reported as vulnerable. For example, this PCAP shows a botnet which is scanning specifically for vulnerabilities with a DLink technology:

WHY IS IT NOTEWORTHY?

The vulnerabilities above pose significant threats to any company who uses SonicWall, DLink, Cisco, and other perimeter technologies. SonicWall is used and trusted by tens of thousands of companies. Attackers with knowledge of these vulnerabilities could potentially target a number of different companies. In most cases, these vendors have done the work to pinpoint and patch these vulnerabilities, and any company who uses them should confirm that they are not using any devices running versions which are affected by any vulnerabilities. Any devices running vulnerable versions should be updated immediately.

WHAT IS THE EXPOSURE OR RISK?

If a perimeter device is exploited, attackers could have the ability to do significant harm to a network. Examples of the types of damage could be to allow attackers to install backdoors, allowing attackers to bypass security measures that keep devices safe. These vulnerabilities could allow attackers to access files and emails, which could contain sensitive personal and company information that may be stored on the affected devices. They could also allow for attackers to gain admin privileges within the network of an organization. This would be extremely dangerous, as it could lead to data compromise and the potential for services becoming unavailable. The risk for customers using vulnerable versions of any perimeter devices is very high, which is why it is so important to always keep devices updated with the latest software to allow for security patches to be applied.

WHAT ARE THE RECOMMENDATIONS?

SKOUT recommends ensuring all devices are updated regularly to allow for security patches to be applied.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

%d bloggers like this: