Edge services are extremely attractive targets to attackers

The cyber threat landscape in 2023 and 2024 has been dominated by mass exploitation, according to WithSecure.

Edge service KEV vulnerability trends

64% of all edge service and infrastructure Common Vulnerabilities and Exposures (CVEs) in the Known Exploited Vulnerability Catalogue (KEV) exist above the 97.5th percentile of EPSS scores (a metric that scores CVEs based on the likelihood of exploitation). Only 23% of all other CVEs in the KEV are above the 97.5th percentile.

Furthermore, edge service and infrastructure CVEs added to the KEV in the last two years are, on average, 11% higher in severity than other CVEs.

The number of edge service and infrastructure CVEs added to the KEV per month in 2024 is 22% higher than in 2023, while the number of other CVEs added to the KEV per month has dropped 56% compared to 2023.

Several recent reports indicate that mass exploitation may have overtaken botnets as the primary vector for ransomware incidents.

There has been a rapid tempo of security incidents caused by the mass exploitation of vulnerable software such as MOVEit, CitrixBleed, Cisco XE, Fortiguard’s FortiOS, Ivanti ConnectSecure, Palo Alto’s PAN-OS, Juniper’s Junos, and ConnectWise ScreenConnect.

Edge services are extremely attractive targets to attackers. They are exposed to the Internet and are intended to provide critical services to remote users, so they can be abused by remote attackers.

Infrastructure devices are attractive targets to attackers

Similarly, infrastructure devices are attractive to attackers because they are black boxes which are not easily examined or monitored by network administrators, and they do not have EDR software installed. It is difficult for network administrators to verify they are secure, and they often must take it on trust. Certain types of these devices also provide edge services and so are Internet accessible.

“There is just one thing that is required for a mass exploitation incident to occur, and that is a vulnerable edge service, a piece of software that is accessible from the Internet,” said Stephen Robinson, Senior Threat Analyst at WithSecure Intelligence.

“What many exploited edge services have in common is that they are infrastructure devices, such as firewalls, VPN gateways, or email gateways, which are commonly locked down black box like devices. Devices such as these are often intended to make a network more secure, yet time and again vulnerabilities have been discovered in such devices and exploited by attackers, providing a perfect foothold in a target network,” added Robinson.

Research finds that mass exploitation is the new primary observed attack vector for ransomware and nation-state espionage attackers. Also, the capability and expertise needed to exploit zero and one-day vulnerabilities is more attainable for financially motivated cybercriminals than ever before.

“It is likely that mass exploitation is becoming the primary attack vector either because there are so many vulnerable edge services, or attackers and defenders are now more aware of vulnerable edge services due to the prevalence of mass exploitation,” Robinson concludes.