Over the past several years, hackers have targeted public-facing network devices such as routers, VPN concentrators, and load balancers to gain a foothold into corporate networks.
While finding remote code execution vulnerabilities in such devices is not uncommon, incidents where attackers were able to deploy malware on them that can survive restarts or firmware upgrades have been rare and generally attributed with sophisticated APT groups.
Because of this, researchers from firmware security firm Eclypsium recently investigated the persistence opportunities attackers would have on such devices.
“Can the malware be resilient enough to persist across reboots and even upgrades? Is it possible to infect the device so deeply that a clean wipe and reinstall isn’t sufficient?”.
To investigate researchers looked into the configuration backup functionality available through the administration interface that can be used to generate an archive containing all the configs and settings that can later be deployed on a fresh install.
After scouring the documentation and config files, the team now had three different ways to store and start scripts after reboot that would even survive reinstalled because they would be included in the config backups across F5 and Citrix devices.
“Gone are the days of proprietary, purpose-built firmware used by routers & switches, instead replaced with firmware which is a fully functional operating system. This evolution introduces the commodity-server level risk on devices that have historically been out of reach for all but the most skilled attackers.”
With introduction of these sorts of new advanced and persistent vulnerabilities, detection and response capabilities are more important than ever.
Security isn’t about being either secure or insecure, it’s about how fast you can move.
If you don’t have a detection and repsonse strategy in place today ask us how we can help.