Network ‘background noise’ may predict the next big edge-device vulnerability

Summary

GreyNoise researchers discovered that spikes in reconnaissance traffic targeting specific vendors can predict vulnerability disclosures, with roughly half of detected activity surges followed by a CVE within three weeks. The study identified 104 distinct traffic surges across 18 vendors (including Cisco, Palo Alto Networks, Fortinet, Ivantal, HPE, MikroTik, TP-Link, VMware, Juniper, F5, and Netgear) over 103 days, providing defenders a median nine-day advance warning before public disclosure. The research demonstrates that attackers conduct pre-attack surveillance on edge devices like routers, firewalls, and VPNs to test vulnerability exploitability before coordinated attacks.

Full text

Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations. Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report. Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers. “Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability,” Andrew Morris, founder and chief architect at GreyNoise, told CyberScoop. “Within a few days or weeks — usually within the responsible disclosure timeline — a new very bad vulnerability comes out,” he added. GreyNoise insists that every day of advance notice matters, giving defenders an opportunity to defend against and thwart potential attacks before they occur. The real-time network edge scanning platform spotted 104 distinct activity surges across 18 vendors during its study period. These embedded systems, including routers, VPNs, firewalls and other security systems, consistently account for the most commonly exploited vulnerabilities. “Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all,” Morris said. “It hasn’t gotten bad enough for us to start taking the security of these devices seriously,” he added. “It’s not bad enough for us to take it seriously enough to start ripping these things out and replacing them with new devices or new vendors.” GreyNoise linked traffic surges to a swarm of vulnerabilities disclosed by vendors across the market, including Cisco, Palo Alto Networks, Fortinet, Ivanti, HPE, MicroTik, TP-Link, VMware, Juniper, F5, Netgear and others. “It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.” GreyNoise breaks these traffic surges down to measure intensity and breadth. Session counts indicate how hard existing sources are hammering a specific vendor and unique source IP counts demonstrate how widely new infrastructure is joining the activity, researchers wrote in the report. “When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation,” the report said. “When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming,” researchers added. The study bolsters other research from Verizon, Google Threat Intelligence Group and Mandiant — landing during what GreyNoise calls “the most aggressive period of edge device exploitation on record.” This activity doesn’t happen in a vacuum and threat groups aren’t flooding edge devices with traffic for free or for fun, according to Morris. “People tend to treat internet background noise like it’s this unexplainable phenomenon,” he said. “They’re clearly trying to test the existence of a vulnerability in order to compromise the systems.” Share Facebook LinkedIn Twitter Copy Link

Entities