Small Business, Mighty Attack Surface
By Douglas McKee · August 3, 2022
If given the chance to name the first five businesses that come to mind, what would they be? Maybe if you're close to the security industry you might suggest names like Microsoft, Apple or Google. Maybe your mind may drift to giants such as Disney, Coca-Cola, Amazon or Walmart. What if we consider what would be top of mind for threat actors, would the list be the same? In 2020 the U.S Small Business Administration reported that there are 6 million small businesses with fewer than 500 employees in contrast to around 20K large businesses. Small business made up for over 10 million new jobs in the last decade compared to around 5 million for large businesses. While we may forget about this massive attack surface, our adversaries have not.
According to RiskRecon, during 2020 and 2021, data breaches at small businesses globally jumped 152%, while during the same time period breaches at larger organizations rose 75%. Just like a contractor wouldn’t use the same tools, techniques, and tactics to dig a post hole as they would for a swimming pool – malicious actors adjust what they target to ensure they effectively compromise the vast landscape of small business.
Recently CISA released an advisory about People’s Republic of China (PRC) state-sponsored exploitation of network devices typically used in Small Office and Home Office (SOHO) settings. Included in this list is CVE-2020-8515, related to a DrayTek small business router. At Trellix, our vulnerability research team is constantly working to anticipate high value targets for well-known threat actors going after the enterprise sector. Today, we released brand new research disclosing a new zero-day vulnerability, CVE-2022-32548, which is a pre-authentication attack that allows for complete control of the Vigor 3910, DrayTek’s latest small business router.
Why does yet another vulnerability in a SOHO router matter? Because in 2019, 360Netlab Threat Detection System observed two different attack groups using two zero-day vulnerabilities targeting various DrayTek Vigor enterprise router. Because in March of 2022, Barracuda reported small businesses are three times more likely to be targeted by cybercriminals than larger companies. Because just last month the ZuoRAT malware was observed infecting numerous SOHO router manufacturers, including ASUS, Cisco, DrayTek and NETGEAR. In short, it matters because major threat actors like the PRC are dictating it matters.
Edge devices themselves, such as routers and firewalls are rather uninteresting, however these devices are the gateway that protect the soft underbellies of companies. Once compromised, it's the open doorway into the rest of a network that is enticing for the adversary to perform the same level of research our team performs. A compromised edge device can lead to intellectual property theft, sensitive customer or employee data loss, access to camera feeds, the opportunity to simplify the deployment of ransomware and in some cases a foothold into a network for years to come.
When talking specifically about small business, Chad Paalman, the CEO of NuWave Technology Partners indicated, “They [small business leaders] assume that if they have a firewall, then they have a padlock on the door and no one can get in. They also assume that if their security has been outsourced to a managed service provider (MSP), log monitoring is happening, or the service includes intrusion detection.” This misinformation or mindset is dangerous to small businesses. It is imperative to understand you are a target no matter the size or type of business. Data continues to demonstrate that not only is this space a target but often a more likely target. It is critical for SOHO and SMB users to understand their networks, stay update to date on all vendor patches and immediately report breeches to law enforcement. Additionally, the support of 3rd party security auditing like the release of our DrayTek research today further strengthens the entire industry. We would like to complement DrayTek’s response and support of our research, clearly demonstrating their security first mindset and desire to help protect the SOHO market.
Mar 15, 2023
Trustwave and Trellix Announce Strategic Partnership to Deliver Best-in-Class Managed Detection and Response to Protect Global Organizations
Feb 22, 2023
Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data
Feb 8, 2023
Trellix Launches Xtend Global Channel Partner Program
Feb 6, 2023
President Biden Names Bryan Palma to National Security Telecommunications Advisory Committee
Jan 17, 2023
Trellix Endpoint Scores 100% Detection with Zero False Positives in Latest SE Labs Endpoint Security Test
The latest from our newsroom
The Bug Report – January 2023 Edition
By Jesse Chick · February 1, 2023
January began with a headache on a Sunday morning and, if you happen to be on the receiving end of this month's remote code excitement, it ended with one, too.
Cyberattacks Targeting Ukraine Increase at End of 2022
By Daksh Kapur, Tomer Shloman, Robert Venal and John Fokker · January 24, 2023
From malicious email and URLs to nation-state backed use of malware, cyberactivity continues to accompany kinetic military activity and social discontent.
Trellix to Lead the XDR Market
By Daniel Ramos · December 19, 2022
Recognition by the analytical firms and peer review programs in all the main XDR front-end components including EDR, NDR, SEG, CWWP, and DLP.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.