Forescout reports network infrastructure under siege, as ransomware continues to be ‘most lucrative and active’

New Forescout Vedere Labs data identified that network infrastructure has become a favorite target for initial access and traffic proxying. Several Russian and especially Chinese state-sponsored actors have been focusing on exploiting vulnerabilities on and developing custom malware for routers and VPN devices, while cybercriminals are leveraging routers and other compromised devices for residential proxies. It also observed that NAS devices often host malware other than traditional DDoS botnets, while building automation devices are becoming increasingly easy targets. 

In its latest threat briefing report, titled ‘2023H1 Threat Review Vulnerabilities, Threat Actors and Malware,’ Forescout said it looks back at the most relevant cybersecurity events and data between January 1 and July 31, 2023 (2023H1) to emphasize the evolution of the threat landscape. It highlights the activities and data that it witnessed during this period to confirm trends that it has been observing in recent reports, including threats to unmanaged devices that are less often studied.

Ransomware victims were located in more than 100 countries, but almost half (48 percent) are in the U.S., followed by several European countries (26 percent in total), Daniel dos Santos, head of security research at Forescout, wrote in the report. “The other roughly 25% are spread across the world. The services industry was the top target, with 16% of attacks, followed by manufacturing (13%) and technology (11%). Other top targets include healthcare, retail, financial services, and education.” 

He also pointed out that state-sponsored actors have been busy with growing geopolitical tensions. “They are showing a preference for network infrastructure devices such as routers, firewalls, and VPN appliances to carry out initial access and espionage operations. State-sponsored ransomware operations also continue to be active.” 

dos Santos said that “hacktivist groups continue operating with many of the same methods we reported as growing in 2022: geopolitical motivations, communication over X (formerly known as Twitter) or Telegram channels, and a split between DDoS-focused groups and those intending to cause physical damage by leveraging unmanaged devices, such as IoT and OT (operational technology).”

“Ransomware continues to be among the most lucrative and active cybercriminal activities,” according to dos Santos. “In 2023H1, Forescout Vedere Labs reported on the activities of emerging ransomware groups such as Royal, discussed popular ransomware targets such as virtualization servers, and analyzed vulnerabilities being massively exploited by these groups, such as CVE-2023-34362, used by Cl0p to breach into hundreds of organizations, exfiltrate sensitive data and publish it.” 

Finally, “we analyzed the most common TTPs of ransomware groups and how these groups tend to follow similar patterns while allowing for evolution, such as an increased use of vulnerability exploitation for initial access, including 0-days,” he added.

“Overall, 2023H1 continued the trend of threat actors exploiting an increasingly diverse attack surface,” Forescout Vedere Labs wrote in a Wednesday blog post. “Notably, we saw more evidence of the type of ‘cross-device’ attacks we first demonstrated with R4IoT and then observed with botnets such as Chaos. Some threat actors are now routinely mixing traditional endpoints with unmanaged devices such as VPN appliances, routers, network attached storage (NAS), and building automation devices as part of their attack campaigns.”

Forescout disclosed that during the first six months of 2023, 16,556 new vulnerabilities were published, an average of 78 new CVEs per day or 2,365 per month. That is 2,220 more than in the same period last year, an increase of 15 percent. Of the new vulnerabilities, 17 percent had a critical score. 113 CVEs were added to CISA’s KEV catalog, which brought the catalog to a total of 981 vulnerabilities (a 13 percent increase). An average of 16 new vulnerabilities were added per month. Most of these newly exploited vulnerabilities (52 percent) were not published in 2023. There was a vulnerability added from 2004 and four vulnerabilities added that affect end-of-life products.

“Although most new vulnerabilities in the KEV affect traditional IT software, such as Microsoft Windows, Office, and Exchange, 13 CVEs (11%) affect network infrastructure devices such as routers, firewalls, and gateways,” the report identified. “The latter includes CVE-2023-27997 which impacts Fortinet VPN devices and was added to the KEV in June. That vulnerability alone is expected to affect more than 300,000 exposed devices worldwide.”

It added that this is representative of an ongoing wave of exploitation of network infrastructure devices. “CISA also released an advisory in August listing the most exploited vulnerabilities in 2022. The advisory shows that CVE-2018-13379, also affecting Fortinet VPN devices, continues to be exploited consistently since at least 2020.”

The update also covered 182 updates about threat actors. “These are mostly cybercriminals (51%), including ransomware groups, followed by state-sponsored actors (39%) and hacktivists (8%). These actors come mostly from Russia (25%), China (16%), and Iran (13%).”

It added that 150 countries are being targeted by these threat actors. The top targets were the U.S. (67 percent of actors), the U.K. (35 percent), and Germany (32 percent). The top targeted industries were government (53 percent of actors), financial services (49 percent) and technology (43 percent). Additionally, it revealed 2,809 ransomware attacks, up from 2,526 in the same period last year (an increase of 11 percent). That is an average of 401 attacks per month or 13 per day.

The Forescout post detailed that Mirai botnet variants in 2023H1 have been exploiting a new vulnerability on an access control device that was already a target in the past, as well as vulnerabilities on devices used to monitor solar power generation in small facilities.

It added that Schneider Electric published an advisory in April about publicly available exploits targeting vulnerabilities from 2020 and 2022 in their KNX devices and linking back to a previous advisory about attacks on these systems. “Later, CISA declared all devices using certain configurations of the popular KNX protocol to be vulnerable, while more than 12,000 of those devices are exposed online.”

The Forescout researchers added that there were at least 25 CISA vulnerability advisories in the period related to devices used in building automation functions such as access control and power management. “Looking into Shadowserver statistics, we see 13 vulnerabilities on building automation devices from nine vendors that are being exploited, while none of them is yet present on CISA’s Known Exploited Vulnerabilities (KEV) catalog,” they added

Forescout highlighted that network infrastructure has become a favorite target for initial access and traffic proxying. 

“Several Russian and especially Chinese state-sponsored actors have been focusing on exploiting vulnerabilities on and developing custom malware for routers and VPN devices, while cybercriminals are leveraging routers and other compromised devices for residential proxies. Increased activity targeting network infrastructure led CISA to issue a specific operational directive about reducing the risks from these devices in June,” the post added.

The post also outlined that NAS devices often host malware other than traditional DDoS botnets.

“In a report in July, we showed how NAS had recently become the riskiest IoT device on organizations networks, partly because of targeted ransomware campaigns that compromised thousands of devices and partly because of how often they are exposed online,” the researchers pointed out. “In 2023H1, we also saw new vulnerabilities being exploited (such as CVE-2023-27992), vulnerabilities ranking among the top exploited (such as CVE-2022-27593), and advanced malware such as Raspberry Robin, which targets traditional IT, being distributed via compromised NAS on the internet.”

The Forescout researchers pointed out that the ransomware landscape never stops changing. “Although ransomware has probably been the most prominent threat for at least the last five years, groups continue to morph, appearing and disappearing quickly, sometimes being used to disguise state-sponsored activities. In 2023H1 we saw new families distributing ransomware packaged with infostealers, hacktivists using custom ransomware on OT devices, and established families experimenting with ransomware on embedded devices,” they added.

“Some well-known ransomware gangs remain very active even after one year, such as LockBit, Cl0p, and ALPHV, but other groups that were relevant last year have disappeared, such as Conti and Hive, due to internal conflicts, law enforcement takedowns or by rebranding to stay under the radar,” the post added. “Entirely new groups now also figure among the most active, such as Malas and 8Base. Overall, the ransomware landscape is more fragmented this year with 53 groups reporting attacks, 36% more than the 39 groups in the same period last year.”

Another interesting detail that the Forescout post brought out was that most vulnerabilities added to the CISA KEV catalog are from before 2023. “Although new vulnerabilities are dangerous because usually there hasn’t been enough time to patch, organizations tend to dismiss older vulnerabilities, believing that they present lower risk. The KEV catalog includes evidence of older vulnerabilities being exploited not only on IT software but also on building automation devices. Some of the exploited vulnerabilities in Table 1 are more than five years old,” it added.

Additionally, “attackers are increasingly using open-source tools as part of their infrastructure. The trend to commoditize attack tools continues strongly. Malicious actors now have a wide choice of open-source tools, developed as legitimate applications, that they can use in campaigns, from phishing attacks to command-and-control infrastructure,” the post added. 

Forescout has urged organizations to prioritize extending visibility, risk mitigation, and network segmentation to cover the increased attack surface being exploited. The researchers also said not to overlook older vulnerabilities and end-of-life systems, ensure that threat detection covers every device in the whole organization, follow the latest threat intelligence about ransomware and other actors, and hunt for threats using emerging tools.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.