At the end of May, on the occasion of the publication of the FortiGuard Labs report on cyber threats in the second half of 2023, Fortinet warned: cybercriminals were able to exploit new vulnerabilities 43% faster than in the first half of last year.
Specifically, according to this report, “attacks begin an average of 4.76 days after new exploits are publicly disclosed.”
The number of critical severity vulnerabilities revealed in 2023 is perhaps not for nothing: they represent 16.1% of the totalnot less than 4646.
Above all, some of these vulnerabilities were a delicacy for cybercriminals: they affected network endpoints, in particular SSL VPN devices, potentially privileged information system entry points.
In late 2019, Travelex had the bitter experience of being hit by a ransomware cyberattack initiated by the CVE-2019-11510 vulnerability exploit. And it was far from the last victim of the exploitation of comparable vulnerabilities affecting network end equipment.
The National Agency for Security of Information Systems (Anssi) just chest of drawers via CERT-FR, an inventory of these vulnerabilities for one year, from June 1, 2023:
On this occasion, Annecy explains that “2023 and the beginning of 2024 were marked by numerous incidents related to the available security equipment, especially at the end of the network. These incidents stem from the exploitation of one or more critical vulnerabilities in firewalls, VPN gateways or even filtering gateways in a broad sense.
The exercise is not arbitrary and seems justified by the reality of the threat: “taking into account the impacts that the exploitation of these vulnerabilities has had, CERT-FR offers feedback on the management of these vulnerabilities and related incidents”.
Annecy is far from isolated in this approach. Thus the National Cyber Security Center (NCSC) of the Netherlands recently revealed Chinese state-backed cyberespionage campaign targeting FortiGate systems affected by the CVE-2022-42475 vulnerability. Using the latter, while it was not yet published, this campaign compromised at least 20,000 systems worldwide, including government, international and defense organizations. The NCSC emphasizes the importance of securing network endpoints—or edge, edge – and adopt the principle of “doing wrong” to mitigate these threats. In other words: consider that there is a trade-off and don’t just put stickers once provided.
For its part, the Norwegian NCSC doesn’t beat around the bush: since mid-May, it has recommended pure and simple to abandon SSL VPN and WebVPN in favor of IPSec VPN with IKEv2 by the end of 2025. The reason is quite simple: “the severity of the vulnerabilities (known to date, editor’s note) and the recurring vulnerabilities in exploiting this type of vulnerabilities”.
Meanwhile, Norway’s NCSC recommends the following mitigating measures to “ensure that the VPN solution saves logs to a centralized system and facilitate the rapid detection and tracking of suspicious activities,” but also “not to allow only inbound traffic from the required countries (geofencing)’ and finally to ‘block access from insecure infrastructure such as anonymization services (VPN providers and Tor exit nodes) and VPS providers’.