Introduction
In recent years, the frequency and success of exploits targeting firewall vulnerabilities have been alarmingly high. A notable incident in 2024 involved the disclosure of five consecutive zero-day vulnerabilities in Ivanti Connect Secure, with some vulnerabilities being actively exploited to enable unauthorized remote code execution on affected devices, and even weaponized by nation-state actors. Despite Ivanti’s vigilance and enlistment of other investigative agencies and authoring organizations’ help in staying ahead of threat actors, every step they took to patch or mitigate the situation was met with another angle of attack. Their initial public disclosure, made in the spirit of transparency and to uphold customers’ security, inadvertently alerted other threat actors to the vulnerabilities, who then immediately began exploiting those weaknesses. At one point, even CISA—the reporting agency that was overseeing the situation—was faced with attacks through the very vulnerabilities they were warning the public about. This fast-paced battle shows how incredibly paramount it is to promptly apply patches and keep builds and products updated as quickly as possible.
Modern firewalls serve as the first line of defense, utilizing configurable security rules to inspect and filter data, preventing insecure packets from entering an organization’s network. Additionally, firewalls offer Virtual Private Network (VPN) services, crucial for secure remote access. By establishing dedicated networks over public infrastructure, VPNs provide robust authentication and encryption to safeguard communication data.
In Industrial Control Systems (ICS), although firewalls are vital for IT-OT segmentation, they can also become centralized attack points, such as through remote access. ICS systems, often geographically dispersed and used in manufacturing and energy infrastructure, rely on VPNs for secure communication. For instance, remote sites may use perimeter security devices with VPNs to create secure channels over untrusted networks, like the internet, to a main control center. This setup allows engineers and technicians to securely access these systems for monitoring, maintenance, and troubleshooting from afar.
Cybercriminals exploit these weaknesses to infiltrate networks and compromise critical systems. Recent exploits of known firewall OS vulnerabilities highlight the need for more resilient and adaptive OT security measures. Ignoring these vulnerabilities can cause significant damage to industrial facilities, hospitals, schools, or government institutions. Therefore, organizations must proactively prevent such occurrences by adopting multi-layered security strategies to combat increasingly sophisticated threats.
Modern IT Firewalls vs. Zero-Day Attacks
The proliferation of firewalls has brought about a series of challenges in the field of modern network security. Threat actors have learned to target these devices, which often appear perpetually vulnerable, to access core networks and steal critical data. Traditional IT firewalls are particularly susceptible to zero-day threats. Specific examples include:
Case Study 1: Widespread Exploitation of Consecutive Vulnerabilities in Ivanti Connect Secure
- On January 10, 2024, Ivanti disclosed two new vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure Gateways: CVE-2023-46805, an authentication bypass vulnerability with a CVSS score of 8.2, and CVE-2024-21887, a critical command injection vulnerability.
- Later, on January 31, Ivanti disclosed two additional vulnerabilities: CVE-2024-21888, a High Severity privilege escalation vulnerability, and CVE-2024-21893, a High Severity server-side request forgery affecting the SAML components of Ivanti Connect Secure. The latter could be exploited to bypass mitigations for CVE-2023-46805 and CVE-2024-21887.
- On February 8, Ivanti revealed a fifth vulnerability, CVE-2024-22024, a High Severity vulnerability allowing attackers to access certain restricted resources without authentication. The public disclosure of the Proof of Concept (PoC) code increased the risk of these vulnerabilities being actively exploited. In response, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive to disconnect. To address these risks, Ivanti released patches and advised users unable to immediately obtain the patches to implement interim solutions. Moreover, Ivanti highlighted that scans conducted with its integrity checking tools could help monitor and prevent potential security threats.
- However, on February 29, a joint cybersecurity advisory was released, warning that cyber threat actors had found a workaround to circumvent Ivanti’s internal and external Integrity Checker Tool (ICT). By this point, the range of impact had expanded far beyond the original highly targeted small group of organizations. Even with the prompt response, and the immediate subsequent reports from CISA to combat these suspected espionage threat actors, the situation still escalated precipitously. At that point, devices using Ivanti products were at significant risk of having already been compromised and being used in the future to harm the organizations that implement them.
- As of April 3, Ivanti has released a patch for all supported versions of Ivanti Connect Secure and Ivanti Policy Secure products. Within that advisory, they also included their enhanced external ICT and explicitly reassured customers that these vulnerabilities had no evidence of being exploited in the world and that they would not impact any other Ivanti products or solutions. Nonetheless, this was still a chilling situation that speaks volumes about the adroitness of modern threat actors.
Case Study 2: CVE-2024-3400 Exploitation in Industrial Control Equipment
On April 19, 2024, Siemens announced that their Ruggedcom APE1808 devices, when integrated with Palo Alto Networks (PAN) Virtual Next-Generation Firewalls (NGFW), are susceptible to a significant vulnerability identified as CVE-2024-3400. This vulnerability underscores the intersection of traditional IT security issues with critical infrastructure. CVE-2024-3400, a command injection vulnerability, allows attackers to execute arbitrary code on the devices by crafting specific HTTP requests. This exploit typically occurs during device reboot processes, leading to disrupted service. Moreover, the vulnerability enables attackers, with administrative privileges, to execute arbitrary commands through outdated functionalities preloaded with VPN clients and plugins in ASA and FTD software. According to a report by the cybersecurity firm Volexity, this vulnerability has been actively exploited to deploy backdoors, including a Python backdoor capable of executing in memory, allowing attackers prolonged control over the infected systems. Palo Alto Networks (PAN) has urgently advised customers to immediately upgrade to the fixed version of PAN-OS to protect their devices, even if mitigations and solutions have already been applied.
Case Study 3: Dual Zero-Day Exploits CVE-2024-20353 and CVE-2024-20359 Highlight Remote Access Risks
On April 24, 2024, Cisco Talos revealed an attack campaign named ArcaneDoor, initiated by the nation-state hacking group UAT4356, utilizing two zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) software to implant backdoors for espionage in target government networks. These attacks started in July 2023, with the attackers establishing the attack infrastructure in November of the same year and escalating their activities from December through January. The vulnerabilities, CVE-2024-20353 and CVE-2024-20359, are located in the VPN management interface and a VPN plugin that allows execution of arbitrary code, respectively. These vulnerabilities were used to deploy two types of backdoors: a memory-resident shellcode interpreter, Line Dancer, and a persistent backdoor, Line Runner, which remains operational even after system updates. These backdoors enable hackers to alter system configurations, monitor network traffic, and move laterally within the network. The Canadian Cyber Security Centre, in collaboration with other national security agencies, has tracked these attacks, confirming severe impacts on Cisco ASA devices. Cisco has issued patches, but it’s up to users to proactively apply these and enhance security measures to guard against similar attacks.
Modern Cyber Adversaries: Putting Industrial Organizations on Alert
As incidents continue to surface, it is clear that attackers are not only exploiting zero-day vulnerabilities but also, according to security experts at Mandiant and other cybersecurity professionals, developing increasingly complex and insidious attack methods. Notably, today’s threat actors are devising innovative techniques, such as:
1. Deftly Circumventing Mitigation Measures
From the Ivanti incident, it was discovered that malicious actors could bypass Original Equipment Manufacturer (OEM) mitigation techniques. A Mandiant study illustrates that hackers deployed a web shell to successfully exploit and circumvent the initial mitigations provided by Ivanti on January 10, 2024. This highlights the unreliability in detecting and responding to complex network threats, indicating that even with OEM mitigation measures, organizations require more robust detection mechanisms to avoid a false sense of security.
2. Deploying ‘Living off the Land’ Attacks
Based on CISA’s experience with multiple incidents, threat actors exploit specific CVEs to gain initial access, implant web shells, and extract credentials from devices. Subsequently, they use native tools available on the compromised devices, such as freerdp, ssh, telnet, and nmap, to extend their access within the domain environment, leading in some cases to the compromise of the entire domain.
3. Establishing Persistent Backdoors to Counteract System Resets
New forms of malware attempt to persist through system upgrades, patches, and factory resets. This demonstrates that malicious actors are extensively researching methods to maintain persistence in priority targets. The cases mentioned above also highlight the critical importance of ensuring that key assets are up to date with the latest updates and patches to secure them effectively.
TXOne Networks Provides a CPS (Cyber-Physical System) Security Protection Solution
To begin with, traditional firewall vendors have already provided mitigation strategies, meaning that your organization can adopt OEM guidelines to address vulnerabilities. However, with the increasing frequency and complexity of cyberattacks, OT environments remain particularly vigilant. We advocate for an asset-centered CPS security architecture as a better approach to risk management, especially considering the network and endpoint defense solutions designed for the ICS/OT production environment. If your organization is considering new ICS/OT network defense solutions, focus on those offering ICS/OT control features that mitigate the most significant risks. After all, ICS/OT network defense solutions should not be the same as those used in traditional IT environments.
1. OT-Centric Next-Generation Network Defense Solutions
Given the functional limitations of traditional IT firewalls and the myriad challenges and vulnerabilities facing unprotected ICS/OT networks, organizations should opt for an OT-centric security design for their industrial environments, adding an extra layer of protection to the production setting. We have developed the Edge series of network defense solutions, whose intelligent security mechanisms and asset-centered features are tailor-made for the unique needs of the OT environment, ensuring organizations are shielded from various threats. The primary advantages of this series include:
- Advanced Threat Defense Against Zero-Day Vulnerabilities: EdgeIPS Pro provides advanced protection against unknown threats with its up-to-date threat information. Leveraging the cutting-edge research of the Zero Day Initiative (ZDI) vulnerability rewards program, EdgeIPS Pro offers your systems exclusive protection from undisclosed and zero-day threats.
- Malware Landing Prevention: With EdgeIPS Pro, virtual patching shelters endpoint and network vulnerabilities while the signature-based antivirus provides an extra layer of protection. Research-supported, up-to-date signatures protect your production assets against the latest threats, and the frequency of flexible updates is fully under the administrator’s control.
- OT Native: EdgeIPS Pro supports OT protocols including Modbus, Ethernet/IP, CIP, EDA, and more, allowing OT and IT security system administrators to collaborate for seamless operation with the existing network architecture.
- OT-Aware Operational Intelligence: Our core technology for EdgeIPS Pro, TXOne-Pass DPI for Industry (TXODI™), gives you the ability to create and edit allowlists, enabling interoperability between key nodes and deep analysis of L2-L7 network traffic.
- Ultimate Operational Continuity: Business continuity is crucial for maintaining business stability. To that end, EdgeIPS Pro devices can create an alternative route as a contingency for if the connected switch has a port failure. All EdgeIPS devices are equipped with packet bypassing features to ensure stable connectivity in all conditions.
CPSDR Guarantees Deep Analysis of All System Operation Changes
In the realm of ICS/OT network security, the worst-case scenario is one where firewalls have failed. At that point, endpoint security becomes key to mitigation strategies as it plays a crucial role in detecting malicious activities and ensuring network integrity. TXOne Networks has observed that many types of malware, including zero-day attacks, can evade traditional pattern-matching detection. The new generation of Cyber-Physical System Detection and Response (CPSDR) methodologies is a game-changer in the threat detection and response domain. CPSDR supports an operation-centric approach where security measures are coordinated with device operations without impacting performance. It allows for high-precision preemptive alerts to system anomalies before instability arises, effectively detecting and suppressing deviations from normal operation before they occur. Adopting CPSDR ensures that any changes in system operation, whether attacks or benign process changes, are thoroughly analyzed and addressed, significantly reducing risk. This comprehensive approach ensures that ICS/OT critical systems are protected from various network threats, thus maintaining the safety and integrity of core operations.
- CPS Detection and Response (CPSDR): A unique device fingerprint is created using telemetry from the app, network, system, user login, and device data categories, allowing agents to monitor stability and identify causes of any changes, such as threats or operator errors.
- Multi-Method Threat Prevention: Combines Artificial Intelligence (AI) and Machine Learning (ML) and high-speed detection to protect against both known and unknown malware, optimized for operational precision without reducing availability.
- Operational Configuration Lockdown: Enforces configuration lockdown on devices, preventing unauthorized changes to registry and function settings by operators or malicious actors.
Conclusion
To address the challenges in OT environments, TXOne introduces the Cyber-Physical System (CPS) Security Protection Solution, simplifying and strengthening defense-in-depth strategies. Key technologies include TXOne Networks’ EdgeIPS, an OT-specific Intrusion Prevention System (IPS) that supports the principle of least privilege. This system minimizes the OT attack surface, constrains network attacks, segments OT networks from other environments, enhances operational performance, and mitigates human error impacts. By implementing fine-grained access control, businesses can balance availability and security, safeguarding critical data and systems.
Another innovative technology is Stellar, a next-gen antivirus solution specifically designed for OT environments. It features Operations Behavior Anomaly Detection, identifying abnormal behavior within system operations. Leveraging advanced algorithms and analytics, Stellar effectively detects real-time deviations from expected patterns or behaviors. This early detection and timely alert system enhances overall security by facilitating prompt investigation and mitigation of suspicious activities.
With TXOne Networks’ advanced technologies and proactive defense mechanisms, you can protect your most critical assets against emerging threats and maintain operational resilience in the face of evolving cyber risks. Contact us to get started.
Reference
[1] CISA, “ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities”, Cybersecurity and Infrastructure Security Agency’s Emergency Directive, January 19, 2024.
[2] CISA, “Updated: New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways”, Cybersecurity and Infrastructure Security Agency’s ALERT, February 15, 2024.
[3] Ivanti, “CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure Primary Product Connect-Secure”, Ivanti, February 14, 2024.
[4] Ivanti, “Security Update for Ivanti Connect Secure and Policy Secure.”, Ivanti, April 03, 2024.
[5] Eduard Kovacs,” Siemens industrial product impacted by exploited Palo Alto firewall vulnerability.”, SecurityWeek, April 23, 2024.
[6] Siemens Security Advisory by Siemens ProductCERT, “SSA-750274: Impact of CVE-2024-3400 on RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW”, Siemens, April 19, 2024.
[7] Volexity Threat Research, “Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)”, Volexity, April 12, 2024.
[8] Palo Alto Networks Security Advisories, “CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect”, Palo Alto Networks, April 12, 2024.
[9] Talos Intelligence,” ArcaneDoor: New espionage-focused campaign found targeting perimeter network devices.”, Cisco Talos, April 24, 2024.
[10] Canadian Centre for Cyber Security,” Cyber activity impacting Cisco ASA VPNs.”, Government of Canada, April 24, 2024.
[11] Matt Lin, Robert Wallace, John Wolfram, Dimiter Andonov, Tyler Mclellan “Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation.”, Mandiant, January 31, 2024.
[12] Matt Lin, Robert Wallace, Austin Larsen, Ryan Gandrud, Jacob Thompson, Ashley Pearson, Ashley Frazer, “Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts”, Mandiant, February 27, 2024.