Many hackers are opportunistic and often attempt to exploit security gaps to launch an attack days before a vulnerability is disclosed.
According to a new report published on July 31 by GreyNoise, attacker activity precedes the time a new vulnerability in edge devices is publicly disclosed and given a common vulnerabilities and exposures (CVE) number in 80% of cases.
These pre-disclosure spikes of activity include scanning, brute forcing and exploitation attempts – although zero-day exploit attempts represent the majority of the activity observed. This activity can precede the CVE disclosure by up to six weeks, the GreyNoise researchers found.
The analysis was conducted on CVEs in edge technologies with a common vulnerability scoring system (CVSS) score of 6 or more.
This pattern was particularly prevalent for vulnerabilities affecting eight edge device vendors: Cisco, Citrix, Fortinet, Ivanti, Juniper, MikroTik, Palo Alto Networks and SonicWall.
In total, the GreyNoise researcher found 216 occurrences of a spike preceding the disclosure of a CVE for these eight vendors.
Use Attacker Activity Spikes as Early Warnings for Future Intrusions
According to the report, cyber defenders should treat these spikes as early warnings and thus increase their monitoring of such spikes to better prepare for future CVEs.
“The clustering of new CVEs within six weeks of attacker spikes provides defenders with a concrete timeframe to increase monitoring, harden systems and pre-emptively act – even before a vulnerability is known. CISOs can use this window to justify early planning or investment,” said the report.
The GreyNoise researchers recommended that CISOs block IP addresses associated with scanning and brute forcing edge technologies to prevent inclusion in attack inventories, even if different IPs are used for the later phases of the attack.
“Nation-state groups like Typhoons have reportedly focused on enterprise-focused edge devices for pre-positioning, surveillance and access persistence,” highlighted the researchers.