New research by WithSecure Intelligence explores the trend of mass exploitation of Edge services and infrastructure, and puts forward several theories as to why they have been so heavily – and successfully – targeted by attackers.
The cyberthreat landscape in 2023 and 2024 has been dominated by mass exploitation. A previous WithSecure report on the professionalisation of cybercrime noted the growing importance of mass exploitation as an infection vector, but the volume and severity of this vector have now truly exploded.
The number of Edge service and infrastructure Common Vulnerabilities and Exposures (CVEs) added to the Known Exploited Vulnerability Catalogue (KEV) per month in 2024 is 22% higher than in 2023, while the number of other CVEs added to the KEV per month has dropped 56% compared to 2023.
Furthermore, Edge service and infrastructure CVEs added to the KEV in the last two years are, on average, 11% higher in severity than other CVEs.
Several recent reports indicate that mass exploitation may have overtaken botnets as the primary vector for ransomware incidents. There has been a rapid tempo of security incidents caused by the mass exploitation of vulnerable software such as MOVEit, CitrixBleed, Cisco XE, Fortiguard’s FortiOS, Ivanti ConnectSecure, Palo Alto’s PAN-OS, Juniper’s Junos and ConnectWise ScreenConnect.
Edge services are extremely attractive targets to attackers. They are exposed to the Internet and are intended to provide critical services to remote users, so they can be abused by remote attackers.
“There is just one thing that is required for a mass exploitation incident to occur, and that is a vulnerable Edge service, a piece of software that is accessible from the Internet,” said Stephen Robinson, Senior Threat Analyst at WithSecure Intelligence.
“What many exploited Edge services have in common is that they are infrastructure devices, such as firewalls, VPN gateways, or email gateways, which are commonly locked down black box like devices. Devices such as these are often intended to make a network more secure, yet time and again vulnerabilities have been discovered in such devices and exploited by attackers, providing a perfect foothold in a target network,” added Robinson.
Research finds that mass exploitation is the new primary observed attack vector for ransomware and nation-state espionage attackers. Also, the capability and expertise needed to exploit zero and one-day vulnerabilities is more attainable for financially motivated cybercriminals than ever before.
“It is likely that mass exploitation is becoming the primary attack vector either because there are so many vulnerable Edge services, or attackers and defenders are now more aware of vulnerable Edge services due to the prevalence of mass exploitation,” Robinson said.