We Don’t Just Patch – We Hack

By Trellix · February 1, 2023
This blog was written by Douglas McKee

If you have read any security advisories, technology news articles or even our very own Bug Report, you have continually been bombarded with the message to patch, patch, patch! Patching is critical to protecting our infrastructure and we will continue to push this mantra, however, to truly slow down and stop our adversaries we must be able to “hack,” or discover vulnerabilities, long before them. This is the mission of the vulnerability team within the Trellix Advanced Research Center. Today we release research on vulnerabilities discovered on Cisco edge devices (and yes, you should patch!). This is next in our series of research into edge devices, and we’ve found bugs affecting users at all levels – consumer, small business and now, enterprise.

Why are so much time and resources spent by a security vendor on vulnerability discovery on edge devices? Simply put – we care because the bad guys care and they care on all fronts. While as an industry we are often tempted to focus solely on large enterprises that help run our everyday lives or protect sensitive information, we can be reminded by the actions of threat actors that every consumer device can be turned into a botnet pawn which can be used against every enterprise. This makes performing research on even the simplest devices acutely important to our overall security picture. This even applies to end-of-life (EOL) or older routers as CISA continues to report vulnerabilities in these devices are being used by threat actors. This is why you see our team not only researching consumer edge devices, but also using simpler EOL devices to provide free training to empower others in the industry to learn the techniques required to perform vulnerability research. This theme holds true with additional advisories from CISA about People’s Republic of China (PRC)-linking state-sponsored exploitation of network devices typically used in Small Office and Home Office (SOHO) and enterprise settings, guiding our focus on DrayTek and now Cisco devices.

Over time, the conversation around supply chain attacks has exploded and we now discuss everything from hardware and software, to vulnerabilities and third-party libraries; but early on routers and other networking equipment were the limited focus of supply chain conversations. Why? It is very common for this type of equipment to pass through third-party handlers or distributors before making it to the end user. This even includes companies outside of the manufacturer performing configuration for the customer. This opens an additional attack vector that hasn’t always existed for other software and hardware, and holds true for consumers, small businesses, and enterprises still today. Is it possible that the PRC is paying the same tech-squad installer you are? While we have no evidence of this today, threat actors, especially nation-state-sponsored groups are known to go to extra lengths to gain the access needed to compromise or affect the global economy. Vulnerabilities like the ones reported in our releases would make it simple for a malicious third party to gain complete access to an organization before a device is ever installed.

Edge devices exist in every networking implementation across all industries. One vulnerability can affect the medical, oil and gas, technology, education, retail industries and more. This makes them a high-value target for attackers and subsequently a strong focus of our research team. At Trellix we suffer from the same threats as the larger industry and our customers meaning we too must patch in a timely manner for all discoveries. But just patching isn’t good enough. Waiting for a nation-state to discover the next big edge device zero-day and release it on social media isn’t a mitigation strategy we want to exercise. So instead, we engage in the soulful work of trying to identify the most impactful targets across all domains and industries and look for new vulnerabilities. Simply put – we hack.