Infosec Watchtower Logo

Rising Cyber Threats: The Shift to Edge Device Exploits and the Challenges of Incident Response

Charles M. Walls | April 23, 2024 | Views: 162

A cyber security operations room filled with monitors displaying network maps and code. In the foreground, a network edge device like a firewall or VPN.

Mandiant Consulting traced a sophisticated cyberattack back to an edge device within a client's network. The device, a critical network component, had been compromised by a group with suspected ties to China. This case highlights a growing cybersecurity dilemma: the challenge of diagnosing and resolving breaches in such devices, as reported in Mandiant Consulting's M-Trends 2024 report, released April 23. Unlike more open systems, this particular network appliance is a sealed unit, forcing the client to wait for a forensic image from the manufacturer—a request still pending after two months.

Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, explains the strategic shift among nation-state attackers toward targeting network devices like firewalls, VPNs, and email gateways. These devices are less likely to be noticed and more cumbersome to investigate. "Edge devices often lack adequate telemetry, making it impossible to extract and analyze data without manufacturer intervention," Carmakal stated. This lack of visibility is a significant advantage for attackers, allowing them to operate undetected for extended periods.

The M-Trends 2024 report also highlights an alarming trend in cyber espionage: the increasing use of edge devices by attackers. These devices, essential for network stability, are exploited for their native capabilities, simplifying the attacker's job and reducing the risk of discovery. In a notable example, the BoldMove backdoor malware was tailored specifically for a Fortinet device, which helped Chinese attackers stay under the radar by disabling certain logging features.

Incident response teams often face significant hurdles due to restricted access to the affected systems' underlying operating systems, complicating efforts to pinpoint the breach source. "Access to forensic images is often restricted by vendors to protect their intellectual property, which can stymie the investigation process," Carmakal added.

The report further reveals that exploit use as an entry point for cyberattacks has increased, with 38% of Mandiant's investigated attacks starting this way. Phishing and prior vulnerabilities follow, highlighting the necessity for companies to adopt comprehensive defense strategies. Additionally, the prevalence of data leak sites in financial attacks has risen, now involved in over a third of such incidents.

This evolving threat landscape underlines the importance of enhancing visibility and control over network edge devices to combat sophisticated cyber threats effectively. As attackers refine their strategies, organizations must likewise adapt, ensuring robust defenses across all potential entry points.

Source of Inspiration