Small Business, Mighty Attack Surface
By Douglas McKee · August 3, 2022
If given the chance to name the first five businesses that come to mind, what would they be? Maybe if you're close to the security industry you might suggest names like Microsoft, Apple or Google. Maybe your mind may drift to giants such as Disney, Coca-Cola, Amazon or Walmart. What if we consider what would be top of mind for threat actors, would the list be the same? In 2020 the U.S Small Business Administration reported that there are 6 million small businesses with fewer than 500 employees in contrast to around 20K large businesses. Small business made up for over 10 million new jobs in the last decade compared to around 5 million for large businesses. While we may forget about this massive attack surface, our adversaries have not.
According to RiskRecon, during 2020 and 2021, data breaches at small businesses globally jumped 152%, while during the same time period breaches at larger organizations rose 75%. Just like a contractor wouldn’t use the same tools, techniques, and tactics to dig a post hole as they would for a swimming pool – malicious actors adjust what they target to ensure they effectively compromise the vast landscape of small business.
Recently CISA released an advisory about People’s Republic of China (PRC) state-sponsored exploitation of network devices typically used in Small Office and Home Office (SOHO) settings. Included in this list is CVE-2020-8515, related to a DrayTek small business router. At Trellix, our vulnerability research team is constantly working to anticipate high value targets for well-known threat actors going after the enterprise sector. Today, we released brand new research disclosing a new zero-day vulnerability, CVE-2022-32548, which is a pre-authentication attack that allows for complete control of the Vigor 3910, DrayTek’s latest small business router.
Why does yet another vulnerability in a SOHO router matter? Because in 2019, 360Netlab Threat Detection System observed two different attack groups using two zero-day vulnerabilities targeting various DrayTek Vigor enterprise router. Because in March of 2022, Barracuda reported small businesses are three times more likely to be targeted by cybercriminals than larger companies. Because just last month the ZuoRAT malware was observed infecting numerous SOHO router manufacturers, including ASUS, Cisco, DrayTek and NETGEAR. In short, it matters because major threat actors like the PRC are dictating it matters.
Edge devices themselves, such as routers and firewalls are rather uninteresting, however these devices are the gateway that protect the soft underbellies of companies. Once compromised, it's the open doorway into the rest of a network that is enticing for the adversary to perform the same level of research our team performs. A compromised edge device can lead to intellectual property theft, sensitive customer or employee data loss, access to camera feeds, the opportunity to simplify the deployment of ransomware and in some cases a foothold into a network for years to come.
When talking specifically about small business, Chad Paalman, the CEO of NuWave Technology Partners indicated, “They [small business leaders] assume that if they have a firewall, then they have a padlock on the door and no one can get in. They also assume that if their security has been outsourced to a managed service provider (MSP), log monitoring is happening, or the service includes intrusion detection.” This misinformation or mindset is dangerous to small businesses. It is imperative to understand you are a target no matter the size or type of business. Data continues to demonstrate that not only is this space a target but often a more likely target. It is critical for SOHO and SMB users to understand their networks, stay update to date on all vendor patches and immediately report breeches to law enforcement. Additionally, the support of 3rd party security auditing like the release of our DrayTek research today further strengthens the entire industry. We would like to complement DrayTek’s response and support of our research, clearly demonstrating their security first mindset and desire to help protect the SOHO market.
This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy | Trellix. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability.
Sep 28, 2022
Trellix Empowers Next Generation of Cybersecurity Talent at Xpand Live
Sep 28, 2022
Trellix Accelerates Channel Success Through Unified Partner Program and Expanded Security Innovation Alliance
Sep 28, 2022
Trellix Expands XDR Platform to Transform Security Operations
Sep 26, 2022
60% of Cybersecurity Professionals Feel They Are Losing Ground Against Cybercriminals
Sep 21, 2022
Trellix Launches Advanced Research Center, Finds Estimated 350K Open-Source Projects at Risk to Supply Chain Vulnerability
By Britt Norwood · August 30, 2022
Our team understands the critical role organizations like AWS play in efforts to drive premium threat detection no matter a customer’s security architecture. We continuously look for partners with a similar desire to grow and innovate to relieve pain points for SecOps teams.
This blog is the third and final of a multi-part series focused on vulnerability discovery in a widely used access control system and describes our research journey from target acquisition all the way through exploitation, beginning with the vendor and product selection and a deep dive into the hardware hacking techniques.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.