Attackers hit security device defects hard in 2024

Attackers are having a field day with software defects in security devices, according to a new report released Wednesday by Mandiant 

Exploits were the most common initial infection vector, representing 1 of every 3 attacks in 2024, and the four most frequently exploited vulnerabilities were all contained in edge devices, such as VPNs, firewalls and routers, Mandiant said in its M-Trends report released Wednesday.

“Exploitation of these vulnerabilities represented slightly less than half of all observed vulnerability exploitation,” said Kirstie Failey, principal threat analyst at Google Threat Intelligence Group, under which the Mandiant brand operates.

Threat researchers and federal cyber authorities have been sounding the alarm about attacks targeting network edge devices for more than a year. Since 2024, security device exploits have resulted in attacks on government agencies and some of the most valuable publicly-traded companies in the world.

These lightweight devices and services are designed to improve defenses and prevent intrusions. Yet, because they don’t typically support third-party software, including endpoint detection and response capabilities, organizations are often caught off-guard when attackers gain access to their networks through a highly-privileged system.

“Three of the four vulnerabilities were first exploited as zero-days,” Mandiant said in the report. “While a broad selection of threat actors have recently targeted edge devices, Mandiant also specifically noted an increase in targeting from Russian and Chinese cyber espionage actors.”

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS, CVE-2024-3400, was the most frequently exploited defect across all of Mandiant’s incident response engagements last year. Mandiant said it observed one threat group exploit it as a zero-day, but malicious activities quickly escalated soon after.

Mandiant observed over a dozen threat groups exploiting the vulnerability within two weeks after Palo Alto Networks disclosed the CVE and published a proof-of-concept exploit code in April 2024. Among these was a Ransomhub affiliate, which used the vulnerability — rated a 10 on the CVSS scale — to gain initial access to organizations’ systems and launch a multifaceted extortion campaign.

The next most frequently exploited vulnerabilities in 2024 belong to a pair of defects — CVE-2023-46805 and CVE-2024-21887 — affecting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances, according to Mandiant. Ivanti disclosed the vulnerabilities in January a month after UNC5221, a suspected China state-sponsored espionage group, exploited the vulnerabilities in the wild as zero-days.

Attackers achieved unauthenticated arbitrary command execution on systems by chaining the vulnerabilities together, Mandiant said in the report.

By mid-January 2024, Mandiant observed UNC5135, a group with suspected links to Volt Typhoon, scanning Ivanti Connect Secure appliances but did not observe successful exploitation. Eight distinct clusters, including five suspected Chinese espionage groups, exploited one or more of the Ivanti vulnerabilities, including a third defect tracked as CVE-2024-21893 by April 2024.

An SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server, CVE-2023-48788, was the fourth-most frequently exploited vulnerability across all of Mandiant’s incident response engagements last year. 

A financially-motivated threat group exploited the vulnerability within two weeks of Fortinet’s disclosure in March 2024. At the back end of the year, in October and November, another financially motivated threat group tracked as FIN8 exploited the vulnerability to deploy ransomware and steal data.

“Mandiant observed dozens of organizations impacted by exploitation of these vulnerabilities, and our observations are almost certainly only a small fraction of the total number of organizations affected by this activity,” said Kelli Vanderlee, senior manager at Google Threat Intelligence Group. “These campaigns affected organizations across at least 13 industries, located in four different continents.”

Ransomware accounted for 21% of all Mandiant incident response activities last year. These ransomware-related attacks affected organizations in healthcare, local government, energy, technology, education and finance across the Americas, Europe, the Middle East, Asia Pacific and Japan, researchers said in the report.

Brute-force attacks, including password spraying, VPN compromise via default credentials and high-volume remote desktop protocol login attempts, were the most common initial access vector for ransomware attacks last year. Mandiant linked 26% of ransomware attacks to brute-force methods, 21% to stolen credentials, another 21% to exploits, 15% to prior compromise and 10% to third-party compromise.

Mandiant noted that potential deficiencies in enterprise logging and detection capabilities likely contributed to a considerable blind spot with respect to initial access vectors. The incident response firm was unable to determine an initial access vector for 34% of all intrusions.

Mandiant said its annual M-Trends report is based on 450,000 hours of incident response engagements throughout 2024.