sb-eu logo
Story image

Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find

One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider.

The Ripple20 threat is a series of 19 vulnerabilities found in the Treck networking stack, a low-level TCP/IP software library developed by Treck Inc. that's commonly used by device manufacturers across many industries, including utilities, healthcare, government and academia.

The impact of this threat ‘ripples’ through complex software supply chains, making it a difficult vulnerability to mitigate, the researchers state.

The JSOF threat research organisation found the Ripple20 vulnerability (CVE-2020-11901) in June 2020. According to a statement, details were given to impacted device manufacturers and security vendors to give them time to deploy patches and create detections before releasing their findings to the general public.

The ExtraHop threat research team studied customer data and discovered vulnerable software in one out of every three IT environments.

Industry average dwell times come in at around 56 days, and ExtraHop experts predict that this exploit will be widely used by attackers as an easy backdoor into networks across industries around the globe.

According to ExtraHop, visibility and behavioural analysis of managed and unmanaged devices, including IoT, and visibility into unusual activity from potentially exploited devices within an organisation’s east-west traffic, are table stakes for a secure network.

ExtraHop CISO Jeff Costlow says, “The devices that utilise the Treck stack are far-reaching with the potential for vast exploitation.

“A threat actor could conceivably use this vulnerability to hide malicious code in the embedded devices for an extended period of time, and traditional endpoint or perimeter security solutions like EDR or NGFW will not have visibility into this set of exploits.”

According to ExtraHop, organisations can take a number of steps to help mitigate the risk from Ripple20. This includes the following.

Patching: Vendors utilising the Treck Software were given early access to the threat details so they could start producing patches immediately. Unfortunately, a large number of devices have discontinued support which has made it difficult to account for all vulnerable device makes and models, ExtraHop states.

Removal from Service: If a patch is unavailable for the affected device, it’s recommended that organisations consider removing devices from service entirely and replacing them with known secure devices. Removing the device will improve hygiene and compliance, critical for keeping environments secure, the researchers state.

Monitor for Scanning Activity: Before a vulnerable device can be compromised, attackers must first find it. Organisations will need to assess their own practices to understand and monitor which scans are legitimate and which could indicate malicious intent, according to ExtraHop.

Exploit Detection: Because not all vulnerable devices may be identified and patched, it is crucial that organisations detect unusual activity resulting from a Ripple20 exploit as it occurs, such as lateral movement and privilege escalation. Network-based detection is a requirement in this case because embedded devices that use the Treck software will not support endpoint agents.

Isolate Vulnerable Devices: In circumstances where it is not possible to patch affected devices, it is recommended that security teams verify devices are not publicly accessible; move devices to a network segment isolated from local subnets; drop all IP-in-IP traffic destined for affected devices; and drop all IPv6 traffic destined for affected devices.

Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
ConnectWise launches bug bounty program to bolster cybersecurity strategy
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community's expertise and participation in helping us keep our products secure."More
Story image
Remote staff overestimating knowledge of cybersecurity basics
‘Unconscious incompetence’ is one of the most difficult issues to identify and solve with security awareness training.More
Story image
Proofpoint and CyberArk extend partnership to further safeguard high-risk users
“Our CyberArk partnership extension provides security teams with increased detection and enhanced adaptive controls to help prevent today’s most severe threats."More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Story image
Cryptomining trojan malware discovered by ESET researchers
The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.More