A security vulnerability in Cisco Adaptive Security Appliance (ASA) that was addressed by the company last October and again earlier this April, has been subjected to active in-the-wild attacks following the release of proof-of-concept (PoC) exploit code. The PoC was published by researchers from cybersecurity firm Positive Technologies on June 24, following which reports emerged that attackers are chasing after an exploit for the bug.
<p>We have now seen a number of big name appliance vendors fall foul of vulnerabilities within their solutions as the trusted network model struggles to keep users productive and domains safe. By exploiting low level vulnerabilities in these critical network appliances and endpoint VPN clients, state sponsored APT groups, and the wider economy of threat actors have proven they are capable of compromising entire network infrastructures. They are adept at covering their tracks, moving laterally through a network and identifying critical data to steal or encrypt for ransom.</p> <p> </p> <p>On unpatched servers, multiple vulnerabilities exist in the web services interface in some of their products under certain configurations. Clicking on a specially-crafted link might permit the adversary to execute code that potentially gives access to sensitive browser based info. Although patches are released regularly by vendors, attackers know these software manufacturers are under pressure to get their updates correct, coupled with a reliance on customers maintaining strict patching regimes. Against the balance of business priorities under challenging working conditions, many organisations simply haven’t kept their solutions up to date. </p> <p> </p> <p>Cisco is not alone. Fortinet, Palo Alto and Citrix have also had similar challenges. IT leaders and administrators have had the unenviable task of managing the reinforcement of network defences through strict patching and maintenance windows, against keeping the light on during a pandemic. As an example, Chinese backed Advanced Persistent Threat (APT) actors UNC2630 and UNC2717 have been called out as repeatedly exploiting known vulnerabilities affecting Pulse Secure products, impacting customers across a wide range of industries and sectors. Their tactics include: accessing web server logs and data, deleting and adulterating forensic evidence, and identifying files for exfiltration as part of their campaign of espionage and disruption.</p> <p> </p> <p>In the face of such a fierce assault on data security and privacy, organisations are migrating rapidly to a Zero Trust Network Access (ZTNA) model giving users access to only the apps and data they need, rather than the “back-stage pass” that VPNs provide. ZTNA enables security teams to continuously monitor the identity of those requesting access to their apps, understanding what they need for work, removing the complexity of provisioning and maintaining VPN clients on user devices. ZTNA is a security strategy and technology that enables admins to set context aware policies and act on device and user behaviour independently of each other, reducing the risks associated with compromised devices and accounts. Integrating with multi-factor authentication and identity solutions this technology reduces user friction and improves overall access controls.</p>