Mass exploitation: The vulnerable edge of enterprise security

The cyber threat landscape in 2023 and so far 2024 has been dominated by mass exploitation. Previous WithSecure reporting on the professionalization of cybercrime noted the growing importance of mass exploitation as an infection vector, but the volume and severity of this vector have now truly exploded. Several recent reports indicate that mass exploitation may have overtaken botnets as the primary vector for ransomware incidents, and there has been a rapid tempo of security incidents caused by mass exploitation of vulnerable software including, but not limited to: MOVEit, CitrixBleed, Cisco XE, Fortiguard’s FortiOS, Ivanti ConnectSecure, Palo Alto’s PAN-OS, Juniper’s Junos, and ConnectWise ScreenConnect.

There is just one thing that is required for a mass exploitation incident to occur, and that is a vulnerable edge service, meaning a piece of software that is accessible from the Internet. What many exploited edge services have in common is that they are infrastructure devices, such as Firewalls, VPN gateways, or Email gateways, which are commonly locked down black box like devices. Devices such as these are often intended to make a network more secure, yet time and again vulnerabilities have been discovered in such devices and exploited by attackers, providing a perfect foothold in a target network.

This report will explore the trend of mass exploitation of Edge Services and Infrastructure and will put forward several theories as to why they have been so heavily and successfully targeted by attackers.