Executive Summary

Throughout Q4 2023 and continuing into Q2 2024, threat actors have continued their aggressive exploitation of zero-day vulnerabilities, leveraging them in initial access campaigns targeting edge network devices. These campaigns are assessed as a means of circumventing a target network’s intrusion detection systems, enabling lateral movement, malware deployment, and maintaining undetected persistent access for additional follow-on actions.

An edge device is any piece of hardware that controls data flow at the boundary between two networks. As such, attackers have modified their strategy of leveraging zero-day vulnerabilities to target edge network devices for Layer 2 attacks. Edge devices fulfill a variety of roles, depending on what type of device they are, and ultimately serve as network endpoints. Used by enterprises, service providers and government or military organizations, examples of edge devices include VPN appliances, routers, and firewalls. Due to the advantages of cloud computing and the Internet of Things (IoT), edge devices have been deployed in increasing quantities, and simultaneously have become a valuable target in cyberattacks.

The prevalence of vulnerabilities in edge devices provides multiple pathways for threat actors to pivot between networks and serves as a potential attack vector for operational environments. This is especially relevant to ground station architecture, where edge devices are a critical component in satellite command and control, as well as Ground Station as a Service (GSaaS) offerings that leverage edge cloud services for customer data. Additionally, edge computing allows industrial control systems (ICS) to handle more data while maintaining performance and security. Given the advantages of IoT, critical infrastructure across all sectors depends on ICS for safe and efficient operation. However, these systems can grant attackers the ability to avert security compliance via remote network access.

Notable Exploits

Ivanti: On 10 January 2024, researchers uncovered an exploit targeting two vulnerabilities in Ivanti Connect Secure solutions, believed to be active since December 2023. Since the identification of the initial exploits, Ivanti has disclosed several additional vulnerabilities in the platform, of which many have been targeted in the wild. Additional research identified five threat groups that have developed techniques for post-exploitation of Ivanti vulnerabilities. In total, research revealed eight distinct clusters of activity involved in the exploitation of Critical Vulnerabilities and Exposures (CVEs) found in Ivanti products. Recently, sophisticated threat actors infiltrated a space-related research and development network by leveraging multiple vulnerabilities on an external-facing Ivanti appliance. The vulnerability allowed the alleged nation-state hackers to conduct reconnaissance activity, bypass multifactor authentication and pivot throughout the network infrastructure.

Palo Alto Networks: On 10 April 2024, researchers at the security firm Volexity identified a vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS, which was exploited since early March 2024, in a threat cluster tracked as UTA0218. The CVE has a CVSS score of 10.0 and enables remote code execution. Since the initial exploit surfaced, Palo Alto Networks has released a series of hotfixes and mitigations for the flaw; however current reporting indicates that exploitation attempts are still being observed. According to ICS reporting from CISA, attackers have targeted versions of Siemens RUGGEDCOM APE1808 devices that are configured with Palo Alto Next Gen Firewall (NGFW) products.

Cisco: On 24 April 2024, Cisco Talos identified exploitation of two vulnerabilities in Cisco Adaptive Security Appliances. Reporting indicates that nation-state actors exploited these vulnerabilities to conduct espionage activities on government entities in a campaign tracked as "ArcaneDoor." Researchers noted the trend of attacks targeting edge network devices over the last two years, underscoring the impact that these exploits can have on companies.

Impact of Edge Device Vulnerabilities

In conclusion, the increasing trend of cyber campaigns exploiting zero-day vulnerabilities in edge devices underscores the critical need for enhanced security measures at the network edge. These vulnerabilities, often targeted for their potential to evade detection and enable persistent access, pose significant risks to critical infrastructure and operational technology across various sectors. As highlighted by recent exploits targeting prominent vendors and products, including Ivanti, Palo Alto Networks and Cisco, threat actors continue to evolve their tactics to target widely deployed edge network technology. These tactics are especially relevant to ground stations, which further underscores the urgency of addressing these risks in the space sector. As defenders continue to navigate this challenge, staying up to date with patches and security advisories are crucial for mitigating these risks.