The Rise of Security Manufacturer Cyber Attacks: How to Stay Safe
Cybercrime is a threat to businesses of all shapes and sizes. Whether it’s through malware, phishing, data theft, or a whole host of other nasties, falling victim to a cyber attack can be devastating to any organisation.
Yet with the business community becoming ever more cyber-aware, attackers are left with a particularly worrying ace up their sleeve: attacking the very technologies that are designed to keep companies safe.
From a criminal’s perspective, it makes total sense: why spend time fighting through a company’s security measures when you can render those measures null and void – or even recruit them to your nefarious ends?
All a criminal would need to do is find exploitable cracks in the security solutions that their target uses, and voila! Not only have they rendered their target more vulnerable, but they’ve rendered every other organisation who uses that security setup potentially vulnerable too. Surely a win-win from a career cyber criminal’s perspective!
This approach seems to have picked up considerable steam in recent years, so let’s investigate some of the more high-profile examples of this worrying trend…
Recent Attacks on Network Security Manufacturers; SonicWall SMA100 Zero-Day
On the 22nd January 2021, SonicWall revealed that a particularly pernicious zero-day exploit was doing the rounds and that all devices in the SMA100 range were vulnerable. This includes the SMA 200, SMA 210, SMA 400, SMA 410, and the SMA 500v devices
Personally, we can’t help but think that the SMA 100 range was specifically targeted because it provides network security for remote workers. Given that many teams will have been working remotely in January 2021 given the winter uptick in Covid-19 cases worldwide, the plan seems to be hatched at an opportune time.
SonicWall acted openly and responsibly in our opinion – making SMA users aware of the issue as soon as it came to light, and giving clear advice to mitigate any risks while a fix was engineered. Thankfully, a patch was released on the 3rd February 2021.
Sophos XG Firewall Injection Vulnerability
In April 2020, an exploit targeting Sophos XG Firewalls was found in the wild which could install malware called Asnarok onto vulnerable firewalls in order to steal admin credentials and other sensitive management data from those firewalls.
Sophos were made aware of the incident after a customer noticed that something was amiss on their own Sophos device. Thankfully, the manufacturer sprang into action, investigating the incident and releasing a hotfix shortly after.
SolarWinds Orion Attack
In December 2020, SolarWinds’ Orion network management and monitoring software had fallen victim to somewhat of a cyber attack double-whammy.
On the 13th December 2020, security experts FireEye announced that they had discovered an attack that effectively “trojanised” an Orion update in order to distribute a piece of malware called SUNBURST. FireEye warned that this activity could have been going on since spring that year. The attack is understood to have been targeted at US government networks in order to gain valuable intel. Due to the US governmental targets and sophistication of the attack, many suspect the culprit to be a state actor.
But that’s not all – in analysing the fallout of the SUNBURST attack, security researchers found another vulnerability dubbed SUPERNOVA. However, rather than being embedded within the Orion platform, it’s a standalone piece of malware that is designed to look like a legitimate part of Orion, yet serves as a backdoor into the software. It is believed that this exploit came from a different adversary than SUNBURST.
SolarWinds has since provided numerous updates to the Orion platform in order to combat these vulnerabilities.
Fortinet VPN Credentials Leak
Back in November 2020, a hacker published a list of almost 50,000 IP addresses that were vulnerable to a specific flaw in Fortinet SSL VPN devices. Using this specific vulnerability in conjunction with any of the IPs on the list, hackers could potentially steal VPN login credentials and use specially crafted HTTP requests to access sensitive data. Bleeping Computer reported that “out of the 50,000 domains, over four dozen belonged to reputable banking, finance, and governmental organizations.”
Just 5 days later, another hacker published an almost 7 gigabyte database containing VPN access usernames and passwords relating to the same list of vulnerable Fortinet IPs.
Fortinet have advised immediate firmware updates, enabling SSL-VPN validation, and setting up multi-factor authentication on their devices in order to mitigate the risk.
My Manufacturer Was Attacked, Should I Jump Ship?
No, not necessarily. The companies who build these security solutions are experts in thinking of most eventualities, but even with the finest minds in the biz, they can’t possibly think of everything. Despite their best efforts, there’s bound to be small cracks here and there. This is normal. We just have to hope that those cracks are either harmless, or are found and closed before any damage is done.
Just because a manufacturer has suffered a breach, that doesn’t mean that they’re bad at their job. Security manufacturers know that criminals have them in their sights and incidents like these are just something that comes with the territory.
Besides, if you are familiar with a given manufacturer’s firewall interface or antivirus software, there’s a lot to be said for sticking with what you know. New tools often come with a steep learning curve – and being unfamiliar with their particular foibles could leave you at risk. Just look at the Sophos example above; the issue was flagged by an eagle-eyed customer who noticed that something was amiss.
However, that doesn’t mean you should put up with manufacturers who continually suffer breaches, or indeed those who handle situations like these poorly. If any of your security providers ever try to cover up an incident or downplay a serious situation, then you’re probably better off spending your money elsewhere!
How To Keep Your Network Safe From Manufacturer Vulnerabilities
- Firstly, remember that all security suppliers are coming under fire from a number of different groups, using attacks of varying levels of sophistication. It pays to keep an eye out for murmurings online about security issues that may affect you and your network hardware – tools like Google Alerts can help you monitor the airwaves!
- Make it a habit to check in with your firewall, antivirus, and other cyber protection tools every day, applying updates and patches as and when you’re prompted to do so. If your vendor or manufacturer requests that you take urgent action for whatever reason, then do so without delay.
- Keep robust contingency plans in place that cover all possible ways you could be affected by cybercrime, including a plan of action if your security measures become compromised. Always have a plan B ready!
- If one of your security manufacturers does suffer a breach, take a deep breath and respond calmly. Keep your ear to the ground for any instructions they give, and check in for new updates regularly. It’s in manufacturers’ best interests to respond quickly and openly. If you hear rumours of a potential vulnerability, reach out to your vendor or manufacturer directly for advice.
- Using a single manufacturer for all of your security estate is great from a compatibility point of view, as it’s likely that all of the solutions will “play nice” with each other. However, it does leave you with all of your eggs in one basket. If your manufacturer does suffer a breach, then you could potentially be worse off than other victims who use a mixture of solutions. Depending on your organisation’s size and needs, we generally recommend spreading your security stack across two or more different manufacturers for this reason.
- Despite these attacks, the most important day-to-day security countermeasures are all simple ones: investing in regular cyber awareness training; keeping on top of security updates and maintenance; and investing in up-to-date security solutions.
Stay Safe With Managed Firewall Services
We know first hand that firewall maintenance can be a lot to deal with in-house. Monitoring network usage, dealing with urgent alerts, and maintaining optimal performance can feel like a mammoth task if you’re a small team or you have no internal IT staff.
If this struggle sounds familiar, then read on. With Just Firewalls’ Managed Firewall Service, you can keep your firewall in top shape without lifting a finger.
Our expert technicians completely take the day-to-day grind of firewall management off your hands, with proactive alert and anomaly monitoring; rule and policy maintenance; as well as proactive application of firmware updates and patches. We’ll even provide regular reports about network usage and the threats that your firewall has fought off!