Mass

exploitation
The vulnerable edge of enterprise security
June 2024 | Stephen Robinson
Contents

1. Executive Summary 3

2. Introduction 3

2.1 Why the KEV?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3. Industry research on initial access vector trends 4

4. Edge service exploitation 5

4.1 What is an Edge Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4.2 Why are attackers targeting Edge Services? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4.3 Edge service KEV vulnerability statistics and trends. . . . . . . . . . . . . . . . . . . . . . . . 6

4.3.1 Edge CVEs exploited per month . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.3.2 Base score of Edge CVEs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3.3 EPSS percentile of Edge CVEs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4.4 Major incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

4.5 What next? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

5. Infrastructure exploitation 12

5.1 What is Infrastructure?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5.2 Why are attackers targeting Infrastructure?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5.3 The EDR problem – EDR isn’t installed on appliances/infrastructure. . . . . . . . . . 13

5.4 Infrastructure KEV vulnerability statistics and trends. . . . . . . . . . . . . . . . . . . . . . 13

5.4.2 Base score of Infrastructure CVEs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.4.3 EPSS percentile of Infrastructure CVEs. . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5.5 Major incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5.6 What next? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

6. Appendix 18

6.1 Major Edge Service incidents and campaigns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

6.1.1 Progress MOVEit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
6.1.2 ConnectWise ScreenConnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
6.1.3 Zoho ManageEngine ServiceDesk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
6.1.4 JetBrains TeamCity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.1.5 Ivanti MobileIron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.1.6 RoundCube Webmail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6.2 Major Infrastructure incidents and campaigns. . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6.2.1 Ivanti ConnectSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.2.2 Citrix ADC/NetScaler - CitrixBleed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.2.3 Cisco IOS XE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.2.4 Cisco ASA and FDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.2.5 FortiGuard’s FortiOS and FortiProxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.2.6 Palo Alto’s PAN-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.2.7 F5 Big IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
6.2.8 Juniper’s Junos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
6.2.9 VMWare ESXi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
6.2.10 Barracuda Email Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1. Executive Summary
• Similarly, Infrastructure devices are attractive
WithSecure searched for trends in Edge Service to attackers because they are black boxes
and Infrastructure vulnerabilities using CISA’s which are not easily examined or monitored by
Known Exploited Vulnerability Catalogue (KEV), network administrators, and they do not have
Common Vulnerability Scoring System (CVSS) EDR software installed. It is difficult for network
base scores, and Exploit Prediction Scoring administrators to verify they are secure, and
System (EPSS) scores. Based on our analysis we they often must take it on trust. Certain types
have reached the following conclusions: of these devices also provide edge services
• 64% of all Edge Service and Infrastructure and so are Internet accessible.
CVEs in the KEV exist above the 97.5th per- • The capability and expertise needed to exploit
centile of EPSS scores (a metric that scores zero and one-day vulnerabilities is more attain-
CVEs based on the likelihood of exploitation). able for financially motivated cyber criminals
Only 23% of all other CVEs in the KEV are than ever.
above the 97.5th percentile.
• Multiple researchers have recently observed
• Edge Service and Infrastructure CVEs added that mass exploitation is the new primary
to the KEV in the last two years are on average observed attack vector for ransomware and
11% higher severity than other KEV CVEs. nation state espionage attackers. Mass ex-
• The number of edge service and infrastructure ploitation is enabled by vulnerable or insecure
CVEs added to the KEV per month in 2024 is Internet accessible services and infrastructure.
22% higher than in 2023, while the number of It is likely that either:
other CVEs added to the KEV per month has – Mass exploitation is becoming the pri-
dropped 56% compared to 2023. mary attack vector because there are so
• Edge services are extremely attractive targets many vulnerable edge services
to attackers. They are exposed to the Inter- – Or attackers and defenders are now more
net and they are intended to provide critical aware of vulnerable edge services due to
services to remote users, and so they can be the prevalence of mass exploitation
abused by remote attackers.

2. Introduction
The cyber threat landscape in 2023 and (so far) MOVEit, CitrixBleed, Cisco XE, Fortiguard’s For-
2024 has been dominated by mass exploitation. tiOS, Ivanti ConnectSecure, Palo Alto’s PAN-OS,
Previous WithSecure reporting on the professional- Juniper’s Junos, and ConnectWise ScreenCon-
ization of cybercrime noted the growing importance nect.
of mass exploitation as an infection vector, but the
There is just one thing that is required for a mass
volume and severity of this vector have now truly
exploitation incident to occur, and that is a vulnera-
exploded. Several recent reports (summarized
ble edge service, meaning a piece of software that
below) indicate that mass exploitation may have
is accessible from the Internet. Analysis by BitSight
overtaken botnets as the primary vector for ransom-
based on Internet scanning found that in 2023,
ware incidents, and there has been a rapid tempo
35% of the 1 million organizations they identified
of security incidents caused by mass exploitation
had at least one Internet facing device where a de-
of vulnerable software including, but not limited to:
tectable KEV CVE was present. The average time

3
that those vulnerabilities were present before being Devices such as these are often intended to make
remediated was 175 days, meaning that 50% of the a network more secure, yet time and again vulner-
detectable KEV CVEs in edge services took longer abilities have been discovered in such devices and
than that to remediate. exploited by attackers, providing a perfect foothold
in a target network.
What many exploited edge services have in com-
mon is that they are infrastructure devices, such as This report will explore the trend of mass exploita-
Firewalls, VPN gateways, or Email gateways, which tion of Edge Services and Infrastructure and will put
are commonly locked down black box like devices. forward several theories as to why they have been
so heavily and successfully targeted by attackers.

2.1 Why the KEV?

This report extracts insights from the Known The date the vulnerabilities were added to the KEV
Exploited Vulnerabilities (KEV) catalogue and the database have been used throughout the analysis,
National Vulnerability Database (NVD) that are as opposed to the date the CVEs were disclosed.
maintained by the US Government’s CISA. The
KEV is the best publicly available source of actively The term ‘Other CVEs’ is used in this document to
exploited vulnerabilities, and so it is being used refer to CVEs which the KEV describes as having
as a sample set to represent CVEs that are being a network attack vector, but which are not Edge Ser-
exploited. vice or Infrastructure CVEs.

3. Industry research on initial

access vector trends
Symantec published analysis of ransomware 14% of all breaches started with exploitation of a
incidents investigated by them in 2023, where vulnerability, a 180% year on year increase. The
exploitation of known vulnerabilities in edge ser- report notes that 8% of all breaches investigated
vices was identified as the new primary vector for by Verizon Business in 2023 related to the MOVE-
ransomware attacks. The report lists a number of it vulnerability, CVE-2023-34362, which would
CVEs as likely infection vectors, including: have contributed to the vulnerability exploitation
increase significantly.
• CVE-2022-47966 - ZOHO ManageEngine
In Mandiant’s M-Trends 2024 report, which pro-
• Multiple Microsoft Exchange Server vulnera- vides statistics on their 2023 incident response
bilities engagements, they observe that Russian and Chi-
nese espionage actors, as well as financially mo-
• Citrix Bleed (CVE-2023-4966) - Citrix NetS-
tivated attackers are intentionally trying to avoid
caler ADC and NetScaler Gateway
EDR and other detection technologies through
• CVE-2023-20269 - Cisco Adaptive Security targeting edge services.
Appliance (ASA) and Cisco Firepower Threat
Exploitation was the most seen initial infection
Defense (FTD) VPN Gateways
vector and was seen in 38% of intrusions, a 6%
Two of these (Cisco ASA/FTD and Citrix NetSTwo increase. The most common vulnerabilities seen
of these (Cisco ASA/FTD and Citrix NetScaler) as initial infection vectors were the MOVEit vul-
are both infrastructure devices and edge services. nerability CVE-2023-34362, CVE-2022-21587 in
Oracle E-Business Suite, and CVE-2023-2868 in
In Verizon Business’ 2024 Data Breach Inves- Barracuda Email Security Gateways.
tigations Report, Verizon identified that in 2023

4
The report also lists multiple examples of custom In Coveware’s reporting on ransomware activi-
malware deployed by Chinese espionage actors ty in 2024Q1, while in almost 50% of cases the
onto edge service infrastructure and observes initial access vector in ransomware attacks was
that there are a number of reasons these devices unknown, the highest known vector was remote
are attractive. These include the fact that defend- access compromise, followed by software vulner-
ers have little to no means of monitoring such ability exploitation. The report states that notable
devices or detecting malicious activity, and that software vulnerabilities exploited in ransomware
even post incident investigation of is hampered by attacks included:
the strict control maintained by the manufactur-
ers. The report also notes that due to the lack of • CVE-2023-20269 – Cisco ASA/FTD VPN
monitoring on infrastructure devices, living off the gateways
land becomes much easier, as attackers can take • CVE-2023-4966 - NetScaler VPN virtual
advantage of in-built files and functionality to sim- servers
plify their malware, without significantly increasing
their risk of detection. • CVE-2024-1708-9 - ScreenConnect

4. Edge service exploitation

4.1 What is an Edge Service more privileges than is actually necessary, maybe
even running as the root or Administrator user on
An edge service is a piece of software which is in- servers which are not segregated from the core
stalled at the edge of a network and is accessible network by a DMZ.
from both the Internet and the internal network.
Typically, it is either providing a service to both These characteristics taken in combination with
networks, or it is providing an external service each other mean that edge services are often
which relies on the internal network in some way, Internet accessible, unmonitored, and provide a
such as a VPN gateway, a managed file transfer rapid route to privileged local or network creden-
server, or a remote access server. tials on a server with broad access to the internal
network.
4.2 Why are attackers targeting
Scanning the Internet to identify vulnerable
Edge Services? devices and then exploiting them has been an
established method of attack for years, but the
Edge services are being targeted by attackers rise of Initial Access Brokers (IABs) within the
because they are accessible, and because they cybercrime marketplace has really driven the
make a very good initial access point into a industrialization of this activity. Before, an attacker
network for an attacker. Edge services need to might identify and exploit vulnerable servers, but
be reachable from the Internet, and providing a the number they could monetize was limited by
service means that they must accept input from the amount of work they could do. Stealing data
remote users, which can then make them vulner- or deploying ransomware does after all take time.
able to any one of a number of different types of However, it is now very common for attackers to
vulnerability. sell access to compromised devices/networks to
Edge services also tend to provide an excellent other actors, meaning that any device they com-
ingress point to a network for attackers. They are promise can be monetized, drastically improving
often intended to provide access to data stored the return on investment of such an activity. Ran-
within the network, or to the network itself, and somware has also had a more direct effect, as by
services such as these often seem to be less using it attackers do not need to find valuable data
heavily protected and security monitored than on a network and also a third party willing to buy
user devices. Unfortunately, while it is typical for that data. Instead, they can simply bulk encrypt or
network administrators to limit the permissions steal data then sell it back to the original data own-
and accesses of end users, it is still far too com- er, who will most likely value it more than any other
mon for server software and services to run with buyer would. As such, ransomware has incentiv-

5
ized quantity over quality of intrusions, as almost in the size of victim organizations, which they saw
any compromised network can now be mone- drop by 32% in the same timeframe. Chainalysis’
tized. This in turn suits the indiscriminate, mass statistics for the whole of 2023 show that total
exploitation method of gaining initial access. In ransom payments doubled compared to 2022 and
2022, small (less than 200 head count) organiza- increased by 10-15% compared to 2021. Togeth-
tions made up 50% of victims posted on ransom- er, these statistics could be taken to mean that
ware leak sites, but this has increased 5% year payment rates and victim sizes are lower, but the
on year, so that in 2024 small organizations make total cost is higher, indicating that more, smaller
up 60% of victims. Payment statistics published victims are being impacted. It should be noted
by Coveware state that comparing 2023Q4 to however that the two research pieces cover differ-
223Q3 ransomware payment rates in dropped to ent time frames and almost certainly use different
29%, and the average ransom payment dropped data, so they may not be directly comparable in
by 33%. Coveware suggest this is due to a decline this way.

4.3 Edge service KEV vulnerability statistics and trends

4.3.1 Edge CVEs exploited per month

Over the last two years the number of Edge Service CVEs added to CISA’s Known Exploited Vulnera-
bilities catalog (KEV) was relatively low. That number has been trending upwards since the beginning
of 2023 however, and it has jumped significantly in the past 6 months, with 8 new edge vulnerabilities
added to the KEV in November 2023, and a further 10 in January 2024:

This contrasts with Other (meaning non-Edge, non-Infrastructure, network

vector) CVEs, which increased dramatically in 2023, but have since dropped
in volume in 2024: This is significant as it means that the increase in Edge
and Infrastructure CVEs is not just a quirk of the dataset caused by increased
resources or a widened remit for CISA.

6
The count of the number of CVEs per month for very strong trend of continuous increase, espe-
each year shows a distinct year on year increase cially when compared to Other CVEs. While Other
for edge services, more than doubling from 2 CVEs per month did increase from 2.56 in 2022 to
CVEs per month in 2022 to 4.75 in 2024. This is a 5.36 in 2023, it has so far dropped to 3 in 2024:

7
4.3.2 Base score of Edge CVEs

The monthly average base score for Edge CVEs remains consistently high
throughout, with very little variance:

The monthly average base score for Other CVEs each month is generally
lower, showing much more variance than Edge service CVEs, though it has
trended upwards in 2024:

8
Looking at the average score per year shows that Edge CVEs scored more
severe than Other CVEs each year, although so far in 2024 the difference is
only 0.06:

9
 If we look at the frequency distribution, we base score for Other CVEs is 8.8. In fact,
see an even clearer difference between the 61% of Edge CVEs have a base score in the
two categories, as the median base score 9-10 range, while only 30% of Other CVEs
for Edge CVEs is 9.8, while the median are in that range.

4.3.3 EPSS percentile of Edge CVEs

The EPSS percentile describes how likely a This is almost the op-
vulnerability is to be exploited in comparison posite of Other, network
to all other CVEs (not just KEV CVEs). 67.06% vector CVEs, where only
of Edge service CVEs were above the 97.5th 35% were above the
EPSS percentile: 97,5th percentile:

10
4.4 Major incidents
Multiple major incidents and campaigns have re- dividuals have been exposed to and impacted by
sulted from edge service vulnerabilities and mass such attacks. To take one example, exploitation
exploitation. A small subset of these from 2023 of MOVEit in mid-2023 impacted almost 3,000
and 2024 are summarized in the sections below. organizations, and as of May 2024 100 million
Many of these edge services are web applications PII records were stolen through MOVEit com-
which combine multiple complex pieces of soft- promises, although the true number of impact-
ware into a single package. ed organizations and individuals may never be
known. Looking at the number of victims posted
These vulnerabilities have led to tens of thou- to ransomware leak sites per month illustrates the
sands of Internet facing services being vulnerable impact that the MOVEit vulnerability had on the
to exploitation, and the nature of edge services ransomware landscape, showing a clear rise from
has meant that many more organizations and in- May 2023, peaking in August:

4.5 What next?

The number and severity of edge service CVEs attackers will likely pile onto the band wagon and
being exploited by attackers is increasing. Edge begin exploitation. It also means that if a particular
services provide an excellent access point and vector such as mass exploitation is shown to be
beach head for attackers looking to compromise repeatedly successful, it is likely that more and
a network, as has been demonstrated by multiple more attackers will start to focus on it.
significant incidents and campaigns in the past
year. Research published by Symantec, Mandiant,
and Coveware in 2024Q1 and Q2 have each
Actors often replicate successful attacks and stated that mass exploitation is now the primary
emulate the methods of other successful attack- attack vector for ransomware incidents, and mass
ers. This means that once a campaign exploit- exploitation relies upon vulnerable edge services
ing a particular vulnerability is publicized, other to succeed.

11
5. Infrastructure exploitation
5.1 What is Infrastructure? cannot be installed on them, and the only logs
available to an external SIEM are those the suppli-
Infrastructure devices, also known as applianc- er has configured.
es, are devices provided by a supplier as is, with
complete supplier defined software and hardware. 5.2 Why are attackers targeting
These devices are commonly sold as a ”black Infrastructure?
box”, meaning that the inputs and outputs are
known, but the actual internal functioning of the Infrastructure makes an excellent vector for
device is not. The network administrator may attackers for a number of reasons. These devic-
be able to configure the device, but they cannot es are often installed and then left untouched for
change the software or hardware beyond supplier years at a time, and then only interacted with via
set limits. They typically have web and command their web-interface or the service they provide. It
line interfaces for administration of the functions is not unexpected that they will be running out of
provided, but the access for the network admin- date, vulnerable operating systems or software.
istrators is restricted. The operating system is al- The devices are almost certainly unmonitored by
most always a very stripped back version of a *nix Endpoint Detection and Response (EDR) soft-
operating system. While it may be possible to by- ware, and as long as they continue to provide the
pass some restrictions to get an operating system expected services it is very unlikely that anyone
shell, for example via a console port, the majority will notice if they are compromised by an attacker.
of the file system partitions will be locked down in Often these devices are active directory integrat-
such a way as to prevent files being modified. ed, and it may be possible for attackers to extract
service or administrator level credentials for Ac-
Along with the practical constraints around these tive Directory directly from the appliance device.
devices, it is almost always the case that if you
do change the hardware or modify the software or These devices typically provide a specific high
operating system beyond the supplier’s parame- value service, and these kinds of services can
ters, the supplier will no longer support the device often provide great opportunities to attackers,
or honor the warranty. As such, EDR software for example:

Service Opportunity

Remote access to the network, interception of

VPN
user credentials

Email gateway Email interception, user credentials

Network Attached Storage File access

Bare metal hypervisor Access to and control of virtual machines

Network load balancing Access to critical services and server clusters

Firewall Bypass of the firewall itself, remote access

Access to internal network traffic, positioning for

Switching or routing
”network local” attacks and poisoning.

Indeed, the value of firewalls and routers to mali-

cious attackers is clearly illustrated by:
• The CISA and FBI guidance issued in January
• the joint advisory issued in February 2024 by 2024 urging small office/home office (SOHO)
multiple national cybersecurity bodies warning router manufacturers to increase the securi-
of Russian state sponsored actors targeting ty of their products in response to targeting
and compromising routers for use in cyber and exploitation by Chinese state sponsored
operations. actors.

12
The recent Ivanti ConnectSecure vulnerabil- 5.3 The EDR problem – EDR isn’t in-
ities and associated incidents have provided stalled on appliances/infrastructure
a good insight into the issues facing infra-
structure edge service devices and are ex- As previously stated, one of the things that makes
plored in the Major Incidents section below. infrastructure such a good target for attackers is that
Endpoint Detection and Response (EDR) agents are
It is important to remember that while Ivanti
not installed on these devices. EDR security software
has provided an excellent example of the
attempts to detect malicious files and behavior on an
risks that are present and the harms that are
endpoint, logging, raising alerts, and taking autono-
possible, it is certainly not the only example
mous or administrator approved actions in response.
of this sort of incident. It is not even the only
Because EDR is additional, non-standard software for
example of this sort of incident in the first
these infrastructure appliances, it cannot be installed
quarter of 2024. Many of the biggest names
without voiding the warranty and support contracts for
in network security infrastructure have had
the devices. As such, these devices don’t have EDR
multiple, similar incidents, although few
installed and become blind spots for security teams,
seem to have had the level of impact and
blind spots which we have seen that attackers are all
duration of the 2024 Ivanti cluster-incident.
too happy to take advantage of and dwell within.

5.4 Infrastructure KEV vulnerability statistics and trends

5.4.1 Infrastructure CVEs exploited per month

The number of infrastructure CVEs in the KEV has been relatively low over the last
two years, but from mid-2023 onwards it began to increase quite drastically, and in
January 2024 alone 8 new Infrastructure CVEs were added to the KEV:

13
 This trend was not seen in Other (once again meaning
non-Edge, non-Infrastructure, network vector) CVEs:

In 2022 the average number of infrastructure KEV CVEs per

month was 1.2, rising to 2.6 in 2023, to 3 in 2024. This means that
in the first 4 months of 2024 there were almost as many infrastruc-
ture CVEs added as in the entirety of 2022:

14
5.4.2 Base score of Infrastructure CVEs

While generally high, there is some variance in the average base score
per month for Infrastructure CVEs, with several much lower outliers:

The average severity so far in 2024 is 9.4, compared to the average

of Other CVEs which is 8.9:

15
Looking at the frequency distribution of Infrastructure CVE base scores shows a drastic
skew towards the top of the scale. The median base score for Infrastructure CVEs is
9.8, and in fact 61% of Infrastructure CVEs lie in the 9-10 range, compared to 31% of
Other CVEs, which instead have a median of 8.8:

5.4.3 EPSS percentile of

Infrastructure CVEs

42.86% of Infrastructure
CVEs were above the 97.5th
EPSS percentile, in com-
parison 35.16% of Other,
network vector CVEs were
above the 97.5th percentile.

16
5.5 Major incidents In total this gives an estimate of almost 1 million
vulnerable infrastructure devices that have been
Multiple major incidents and campaigns have exposed to the Internet. However, by the nature of
been caused by Infrastructure vulnerabilities. these devices the impact of a vulnerability is much
greater than the possible compromise of a single
Often, these vulnerable infrastructure appliances device, but instead presents the possibility of com-
were intended to provide security services and re- promising all of the many devices that interact with
duce the attack surface, but instead they expand- and rely upon that infrastructure, which could be a
ed the attack surface. very great number indeed when dealing with enter-
prise infrastructure. As an example, while a relatively
One way of estimating the possible impact of
modest 16,000 F5 Big IP devices were observed to
these vulnerabilities is the number of Internet
be Internet exposed, F5 state that their devices are
exposed devices. It is challenging to get accurate
used by 48 of the top 50 companies in the United
numbers, but rough estimates of the number of
States.
Internet exposed Infrastructure devices affected
by some of the major infrastructure vulnerabilities Many infrastructure devices run Linux operating
of 2024 and 2023 are given below: systems which have been customized by the
supplier. While Linux is seen as a more secure OS,
that does of course depend on its configuration, and
because Linux is a standard operating system, there
Infrastructure Device Count
are many attackers who are familiar with it and many
Ivanti Connect Secure 26,000 tools and malware which specifically target it. Many
of the devices are difficult for security teams to mon-
Palo Alto Pan-OS 150,000 itor and intentionally provide a very limited view of
the internal workings of the device via their logs. This
Cisco ASA/FDR 320,000
creates a blind spot which attackers have become
Citrix ADC 60,000 aware of and are increasingly seeking to exploit
and dwell within. These vulnerabilities have often
Cisco IOS XE 150,000 been found in enterprise infrastructure solutions,
where there is typically either a very large install
FortiGuard FortiOS 250,000
base, or a small install base of very large, high value
F5 Big IP 16,000 organizations, both of which are very attractive to
attackers. For attackers it is ideal to be able to either
JunOS 11,000 compromise a large number of victims at once from
which they can then perform victim-agnostic attacks
VMWare ESXi 4,000
en-masse, or to be able to specifically compromise
Barracuda ESG 10,000 large enterprises which are likely to each individually
be a source of high value data.

17
5.6 What next?
The volume of exploited Infrastructure vulnera- high severity is because they are almost always
bilities is increasing. While their severity is not remotely exploitable vulnerabilities with a network
increasing, this appears to be because the typical attack vector. There will typically be no local access
severity of these vulnerabilities is so high, and so to this type of device, so the only way to exploit
close to the top of the CVSS scale that there is them is via the network. Simply due to the way that
simply nowhere further for it to go. It is likely that CVSS scores vulnerabilities, network/remotely
the main reason why infrastructure CVEs are so exploitable vulnerabilities will be higher scoring.

6. Appendix
ing this vulnerability.
6.1 Major Edge Service incidents
and campaigns 6.1.2 ConnectWise ScreenConnect

6.1.1 Progress MOVEit CVE-2024-1708 was announced and patched in

ConnectWise ScreenConnect Server in Febru-
CVE-2023-35708 was disclosed in June 2023 ary 2024. This is a remote access/management
and was heavily exploited as a zero-day by the tool often used by Managed Service Providers
Clop ransomware brand against large enterpris- (MSPs) to manage the devices of their customers.
es and government organizations numbering in Legitimate remote management tools are often
the thousands. Proof of concept code became abused by attackers because they are legitimate
available, and Clop were rapidly followed by other tools which provide all the functionality an attacker
ransomware groups, and most likely nation state needs to remotely execute commands and move
actors too. laterally. Because of the way ScreenConnect is
used to provide remote access, often across or-
MOVEit is a managed file transfer service which is ganizational boundaries, ScreenConnect servers
used to transfer important data between organi- must be accessible to clients. As such this means
zations, as such it is an externally active, Inter- they are typically edge services accessible from
net accessible service. Important data typically the Internet. The day after the patch was released,
means valuable data, and as such once attackers proof of concept code became available, and
had compromised these servers they did not need attackers began to exploit the vulnerability. They
to compromise the network any further to access were then able to use the legitimate remote man-
valuable, ransom-worthy data. They could simply agement functionality of ScreenConnect servers
exfiltrate the data available on the server, activ- to perform malicious activity on client devices.
ity which blended in almost seamlessly with the 5-10,000 ScreenConnect servers were exposed
server’s expected, legitimate behavior. Hundreds to the Internet at the time the vulnerability was
of major organizations including governments announced, and each server is capable of manag-
and banks that used the software were compro- ing up to 150,000 client devices across multiple
mised, the data of tens of millions of people held organizations.
by thousands of organizations who did business
with the compromised entities was stolen, and it is
6.1.3 Zoho ManageEngine ServiceDesk
estimated that Clop received around $100 million
in ransom payments from their campaign exploit- ManageEngine ServiceDesk is a software which
is used to provide service desk and ticketing ser-
vices for enterprise IT support functions. It is often

18
remotely accessible so that users who need to TeamCity, such as through a ransomware attack,
raise tickets can do so wherever they are located. is significant. This means that even a localized,
Multiple vulnerabilities have been discovered in non-supply chain attack that takes out a TeamC-
this software in recent years, and they have been ity instance can be extremely severe. While the
targeted by many different attackers. This was number of Internet exposed TeamCity instances
illustrated in WithSecure’s Professionalization is relatively low, somewhere around 2,000 by
of Cybercrime report, which detailed an incident some estimates the impact that a compromise
where multiple different actors, including Ran- can cause has made these a priority for attackers
somware, IAB, nation state APT, and cryptominer and defenders.
attackers compromised the same ManageEngine
ServiceDesk instance.. 6.1.5 Ivanti MobileIron

6.1.4 JetBrains TeamCity CVE-2023-35078 in Ivanti’s MobileIron Mobile

Device Management (MDM) software, was
Multiple TeamCity vulnerabilities have been exploited as a zero-day in mid-2023 by attackers
added to the KEV in recent years. TeamCity is a targeting the Norwegian government, leading to
software supply chain tool, and as such it’s com- compromise and data theft from 12 government
promise can provide attackers with the ability to departments. Because it is an MDM, MobileIron
perform supply chain attacks against downstream servers need to be accessible to the Internet so
customers. It also means that TeamCity is key that any client mobile device can reach the server.
for the day-to-day operation of the organizations At the time, it was estimates that 5,000 MobileIron
using it, and any downtime or data loss from servers were accessible to the Internet.

6.1.6 RoundCube Webmail

CVE-2023-5631 is an XSS vulnerability in Round- it perfectly highlights numerous risks with edge
Cube Webmail that was targeted by Russian service and infrastructure exploitation.
state sponsored attackers for espionage attacks
against European state entities and a think tank. In January 2024 Ivanti disclosed two zero-day vul-
Even though the vulnerability only scored 5.4, nerabilities in their ConnectSecure VPN gateway
it allowed exfiltration of email messages from appliances, which were later found to have been
victims if they simply viewed a specially crafted under active exploitation since December 2023.
phishing message. Email web services are ideal Ivanti Connect Secure (ICS) are edge service, in-
edge service compromise targets as they are frastructure devices which run a lightweight Linux
almost certainly accessible from the Internet, operating system which network administrators
and because they hold huge amounts of valuable could not directly access, monitor, or modify. ICS
organizational information which attackers can appliances are often configured to authenticate
download from the email server without touching users against Active Directory, and CISA advised
the rest of the network. Earlier in 2023, this same that it was trivially easy for attackers to extract
attacker exploited another XSS in RoundCube Windows Domain Administrator credentials from
Webmail, CVE-2020-35730, in attacks against a compromised Ivanti ICS devices, providing full
very similar set of targets. administrator access to Windows networks.

6.2 Major Infrastructure incidents More than 25,000 ICS devices were connected
to the Internet, and because these were zero-day
and campaigns CVEs all of them were vulnerable. When the vul-
nerability was disclosed 10-20 victims had been
6.2.1 Ivanti ConnectSecure identified, all of which had been compromised by
a single actor. Within days the number of victims
A thorough description of the Ivanti ConnectSe- compromised by that initial actor had risen to
cure incident of early 2024 is provided here as 1,500, and many more distinct campaigns were

19
observed targeting vulnerable ICS devices. CISA ICT that Ivanti was supplying to its customers was
eventually issued advice to US Federal Govern- not sufficient to detect compromises of ICS de-
ment agencies that the likelihood of compromise vices. For a significant amount of time while Ivanti
was so high that they should disconnect ICS were working on creating patches for ConnectSe-
appliances and assume that their Active Direc- cure, the ICT was the only defense available to
tory domains had been compromised. Because customers. That, or simply turning off and not us-
ConnectSecure appliances run the Linux operat- ing these very expensive enterprise devices that
ing system, attackers were able to install standard were providing vital VPN remote access to the
Linux malware, such as the publicly available network for their modern distributed workforces.
Sliver post exploitation framework. Because ICS While Ivanti denied this, they also updated their
appliances provide VPN services which users au- ICT to address the situation described by CISA.
thenticate to, it was also trivially easy for attackers
to harvest user credentials for further access and Security researchers at Eclypsium acquired the
exploitation. ICS operating software/operating system image
and bypassed the restrictions around the oper-
It took 3 weeks from the initial disclosure before ating system and file system to examine it. They
patches became available, however Ivanti did identified software and OS components that were
release a mitigation tool which was intended to up to 21 years old, and the Linux kernel for the OS
protect devices from compromise. A mitigation became end of life in February 2016. They found
tool was required as without a patch there was that the majority of the ConnectSecure GUI is writ-
no action that administrators could take to safely ten in Perl, which made the 23-year-old Perl ver-
continue using these devices. sion on the appliances a potential problem also.
Considering the age of the software used, vulner-
Unfortunately, Ivanti then announced that the abilities in the product are almost to be expected.
mitigation tool was flawed, as while it reconfigured In the last 21 years software and system design
devices to prevent exploitation, if any further con- methodologies and paradigms have changed, as
figuration was pushed to the device via centralized have the tools available to developers, and even
deployment of XML configuration files the mitiga- (we hope) the wider level of security awareness.
tion would be removed. Central management and
deployment of configuration for enterprise appli- ConnectSecure devices, as the name suggests,
ances such as these is extremely common. are intended to provide a secure, Internet facing
VPN connection service to protect enterprise net-
Ivanti also released an Integrity Checker Tool, works and remote users. Network administrators
which would check if any files on the device had who purchased and installed these devices did
been modified. This was necessary as network not know anything about their internal workings,
administrators are not able to directly access the and instead had to simply trust that the supplier
file system of ICS appliances, so they had no way was supplying them with a secure solution. As
to verify if a device was compromised except for such, there was certainly a strong expectation that
possibly through very thorough network monitor- the devices would be running modern, secure,
ing of all connections to and from the server. This software and operating systems. This expectation
kind of network traffic collection and monitoring is of security was addressed by the CEO of Ivanti
something that most organizations likely do not in April 2024 when he released a 6 minute video
have the ability to do. stating that in response to the security incident
Attackers and security researchers then pro- the company would begin implementing a ‘Secure
ceeded to thoroughly investigate ICS devices, By Design’ ethos for their security products. This
identifying more and more critical vulnerabilities was obviously very positive, and also showed real
which allowed for remote code execution, as bravery, as it risked criticism from those who might
raise concerns as to what the Ivanti design ethos
mass exploitation of ICS devices was performed
by more and more actors. In one case in February was before this incident.
2024, Orange Cyber Defense observed exploita- Victims of compromise via Ivanti ConnectSecure
tion of an ICS vulnerability within 5 hours of a are numerous and varied, but include CISA, the
Proof of Concept (POC) exploit being published, US government Cybersecurity and Infrastructure
and within 24 hours they observed more than 600 Security Agency, and MITRE, maintainers of the
appliances compromised via that vulnerability. ATT&CK knowledge base of cybersecurity adver-
sary tactics and techniques.
At the end of February, CISA announced that the

20
6.2.2 Citrix ADC/NetScaler - CitrixBleed idly 40,000 devices were detected to be compro-
mised by attackers.
CVE-2023-4966, known as Citrix Bleed, probably
sits level with the MOVEit vulnerability as the most 6.2.4 Cisco ASA and FDR
significant of 2023. CitrixBleed was a zero-day
vulnerability in Citrix ADC and NetScaler appli- Cisco ASA and FDR devices are firewalls that also
ances, which run a lightweight Linux operating have VPN gateway functionality. In 2023 ransom-
system. The vulnerability allowed attackers to ware groups breached multiple organizations via
steal the session cookies of authenticated users. their Cisco ASA appliances, and eventually it was
With these session cookies, attackers could then discovered that they were exploiting CVE-2023-
login to the VPN and access the internal network 20269 which allowed them to perform unlimited
as if they had legitimate credentials. The theft of brute force attacks against the VPN service of the
session cookies even allowed attackers to bypass firewalls. Then in early 2024 an older ASA vulner-
multi-factor authentication controls. Estimates of ability, CVE-2020-3259 was exploited in a surge
the number of devices running vulnerable ver- of compromises by ransomware actors including
sions of Citrix ADC/NetScaler open to the Internet the Akira ransomware brand. According to CISA,
when the vulnerability was announced range from Akira received around $40 million dollars in ran-
20,000-60,000. Known victims of CitrixBleed soms from their attacks in 2023/4, and repeatedly
compromises include Boeing, the Industrial and targeted and compromised Cisco ASA firewalls.
Commercial Bank of China (the 5th largest bank Most recently in April 2024, it was disclosed that
in the world), and US ISP/telecoms giant Comcast an espionage campaign that could not be linked
Xfinity. to any previously known threat actors had been
discovered. This campaign had an unknown initial
6.2.3 Cisco IOS XE attack vector and had been exploiting two ze-
ro-day vulnerabilities in Cisco ASA/FTD devices
Cisco network infrastructure devices run several (CVE-2024-20353 and CVE-2024-20359) since
different operating systems, two of which, IOS XE July 2023. The actor used the compromised fire-
and IOS XR are Linux based. CVE-2023-20198 walls for initial access, reconnaissance, and traffic
and CVE-2023-20273 were zero-day vulnerabil- capture and exfiltration. They were described as
ities in the web interface of devices running IOS having a specific interest in Microsoft Exchange
XE which when chained together allowed remote, servers and network infrastructure devices from
unauthenticated attackers to create administrator multiple vendors. Over 300,000 Internet exposed
accounts, fully taking over the device. At the time Cisco ASA and FDR devices were identified.
the vulnerability was announced the number of multiple vendors. Over 300,000 Internet exposed
vulnerable devices exposed to the Internet was Cisco ASA and FDR devices were identified.
estimated to be as high as 150,000, and very rap-

6.2.5 FortiGuard’s FortiOS and FortiProxy 6.2.6 Palo Alto’s PAN-OS

FortiGuard make various network infrastruc- CVE-2024-3400 was a zero-day vulnerability in

ture devices, including VPN gateways. These the GlobalProtect VPN feature of PAN-OS, the
gateways run a Linux based operating system Linux based operating system run by Palo Alto
called FortiOS. In recent years there have been firewalls. At the time the vulnerability was dis-
multiple critical zero-day vulnerabilities affecting closed there were more than 150,000 vulnerable
FortiOS and FortiProxy devices, including CVE- PAN-OS devices accessible from the Internet,
2022-42475, CVE-2022-41328, CVE-2023- with multiple actors detected performing remote
27997, and CVE-2024-21762. CVE-2024-21762 exploitation.
allowed unauthenticated attackers to perform
remote code execution, and at the time it was 6.2.7 F5 Big IP
disclosed as a zero-day there were an estimat-
ed150,000-200,000 FortiGuard devices running a CVE-2023-46747 and CVE-2023-46748 together
vulnerable version of FortiOS accessible from the were exploited as a critical vulnerability chain in
Internet. F5 Big IP traffic management devices, allowing

21
remote attackers to execute arbitrary commands. been updated since then. There were also six 9.8
F5 Big IP devices run a Linux based operating severity vulnerabilities in external software pack-
system, and 10-20,000 devices were accessible ages, which dated back as far as 2019.
from the Internet. Though it is believed only a
small fraction were configured in such a way as to 6.2.9 VMWare ESXi
be vulnerable to external attackers, such devices
are typically only needed and installed in very IIn 2024, 4 critical vulnerabilities in ESXi were
large enterprises, and indeed F5 state that 48 of disclosed by VMWare, CVE-2024-22252, CVE-
the Fortune 50 list of the largest US companies 2024-22253, CVE-2024-22254, and CVE-2024-
are using their products. 22255. Several of these vulnerabilities could be
chained together to provide full escape from guest
6.2.8 Juniper’s Junos VMs to the host hypervisor. While these vulnera-
bilities are not known to have been used in mass
Multiple High and Critical severity CVEs in Juni- exploitation campaigns by attackers, ESXi is very
per’s Junos based devices were disclosed in the commonly targeted by ransomware and nation
last year. Junos is a FreeBSD based operating state attackers. By gaining access to a hypervisor
system. These vulnerabilities include CVE-2024- attackers can then gain access to the virtual ma-
21591, a remote code execution vulnerability in chines it hosts. ESXi is not a Linux based operat-
the J-Web web-based configuration interface, and ing system, instead being described by VMWare
CVE-2024-21619, and CVE-2024-21620. In Jan- as a fully custom operating system kernel. How-
uary 2024 an estimated 11,000 J-web interfaces ever, this does also mean that it is not a standard
of Junos devices were accessible to the Internet. server and does not run EDR software.

In April 2024 Juniper issued a patch which Several ransomware brands have developed
addressed 82 separate CVEs in Juniper Cloud ESXi compatible ransomware encryptors, includ-
Native Routers and Juniper cRPD (essentially ing Akira. Akira gained access to ESXi hosts and
a Junos Docker image for cloud deployment). encrypted the guest VMs in their attack on the
The most notable vulnerability was 9.8 severity hosting provider Tieto Evry, which impacted multi-
CVE-2024-30407, which was due to the use of ple government and commercial bodies in Swe-
hard coded private keys in Junos which would den, including the Swedish central bank. Akira did
allow AiTM attacks to undetectably intercept SSH the same again during their 2024 compromise of
traffic, resulting in complete compromise of the the Chilean hosting provider IxMetro Powerhost,
device. As well as the Junos native vulnerabilities, where they demanded a 2 Bitcoin ransom per cus-
this patch addressed large numbers of vulnera- tomer to be decrypted, presenting a total ransom
bilities in external software packages which are demand of $140 million. In 2023, the US MGM
included in the OS. Some of the lower severity Casinos organization suffered a ransomware
vulnerabilities were assigned CVEs as far back as attack where their VMWare ESXi servers were
2011, which suggests that the software packages targeted and guest VMs encrypted, resulting in an
in some versions of Juniper OS may not have estimated $100 million loss for the company.

6.2.10 Barracuda Email Security Gateway

CVE-2023-2868 was an unauthenticated remote command execution zero-day vulnerability in Barra-

cuda Email Security Gateway (ESG) appliances which had been under active exploitation by a Chinese
state sponsored actor for over 6 months by the time it was discovered and disclosed in late-May 2023.
The severity of this vulnerability was such that Barracuda’s advice to all customers with ESG appliances
was to remove, decommission, and replace them immediately. This implies that the actors were able
to compromise these devices so thoroughly, and to so low a level, that it was not possible to evict the
attacker even by factory resetting the device and wiping the storage. There were believed to be around
10,000 Barracuda Email Security Gateways accessible from the Internet the week after the vulnerability
was disclosed.

22