Securing Against PRC State-Backed Threats: On-Device Mitigation

Bruno Rossi
Bruno Rossi

4  min read | min read | 28/09/2023

The recent cybersecurity advisory from the National Security Agency (NSA), FBI, and Cybersecurity and Infrastructure Security Agency (CISA), along with the Japanese police and cybersecurity authorities, revealed that People’s Republic of China state-linked threat actors have been running extended operations for several years to maintain deep presence into US’s public and private infrastructure, including major telecommunications companies and network service providers.

These actors exploited known vulnerabilities of common network devices to maintain discreet access and use the compromised devices as endpoints as Control-Command (C2) relays and to move laterally.

Devices such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS), often deployed in organization subsidiaries on the edge of the more secure corporate network environments, are often an easier target for cyber-criminals. End-of-life or late in the endless patching game, these devices offer an easier entry point.

As we examine these vulnerabilities within the context of modern network infrastructure, it becomes evident that addressing these weak points is crucial. Devices often situated on the edge of secure corporate networks, coupled with their end-of-life status and patching challenges, continue to be prime targets for cybercriminals. In light of these challenges, it’s clear that traditional cybersecurity measures alone are insufficient. Innovative approaches are needed to secure these critical junctures in our networks and bolster overall defenses.

Security organizations will never win the patching game!

Patching and network protection are not enough

atching and network-based security techniques are not enough to keep attackers at bay. First, patching is dependent on the vendors’ willingness – or obligations – to quickly deliver patches for devices still under support contracts. Second, this approach only addresses known vulnerabilities. Furthermore, even with a patch in hand, the deployment of that patch presents the next significant challenge.
On the network defense side, despite the widespread deployment of powerful threat protection and detection security technologies – IDS/IPS, XDR, and similar solutions, networked devices are still easy prey due to the lack of embedded runtime protection.

Connected devices require runtime protection

Sternum addresses the security gap with a patented runtime security solution that integrates into the device itself and works on the firmware level to immunize it from memory and code manipulation attempts. The solution is agentless and connection agnostic, working equally well for connected and isolated devices. Its deterministic nature ensures protection from zero-day attacks and even supply chain threats in 3rd-party code.

Leveraging its on-device presence, the solution also provides continuous monitoring and threat detection capabilities enabling easy access to live insights, historical data, predictive analytics, incident response and investigation tools, contextual root cause analysis, and more.

The solution is compatible with various operating systems and device types, whether they are legacy or new, and it imposes minimal overhead, typically ranging from just 1% to 3%, without causing any disruption to the device’s regular functions.

Addressing the vulnerabilities of the CISA advisory

Sternum’s research team analyzed the vulnerabilities reported in the CISA advisory. The following table shows how Sternum would have protected the impacted devices:

Vendor CVE Vulnerability CWE Sternum Coverage
Cisco CVE-2018-0171 RCE CWE-787 – Out-of-bounds Write
CWE-20 – Improper Input Validation
PROTECTION
CVE-2019-1652 RCE CWE-502 – Deserialization of Untrusted Data Potential Protection (need further analysis)
CVE-2019-1652 RCE CWE-78 – OS Command Injection
CWE-20 – Improper Input Validation
PROTECTION
Citrix CVE-2019-19781 RCE CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Detection*
DrayTek CVE-2020-8515 RCE CWE-78 – OS Command Injection PROTECTION
D-Link CVE-2019-16920 RCE CWE-78 – OS Command Injection PROTECTION
Fortinet CVE-2018-13382 Authentication Bypass CWE-285 – Improper Authorization Detection*
MikroTik CVE-2018-14847 Authentication Bypass CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Detection*
Netgear CVE-2017-6862 RCE CWE-119 – Improper Restriction of Operations within the Bounds of a Memory Buffer PROTECTION
Pulse CVE-2019-11510 Authentication Bypass CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Detection*
CVE-2021-22893 RCE CWE-416 – Use After Free
CWE-287 – Improper Authentication
Potential Protection (need further analysis)
QNAP CVE-2019-7192 Privilege Elevation CWE-863 – Incorrect Authorization Detection*
CVE-2019-7193 Remote Inject CWE-20 – Improper Input Validation Detection*
CVE-2019-7194 XML Routing Detour Attack CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Detection*
CVE-2019-7195 XML Routing Detour Attack CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Detection*
Zyxel CVE-2020-29583 Authentication Bypass CWE-522 – Insufficiently Protected Credentials Detection*

In this table:

  • Detection indicates that Sternum would have been capable of detecting and reporting the attack had the device integrated Sternum’s observability features.
  • PROTECTION means that the associated attempted attack would have been detected and completely prevented, ensuring the device’s security, even if it were a zero-day attack.

Sternum would have also automatically notified the Security Operations Center (SOC) about the attempted attack. It would have provided detailed information about the attack, along with a timeline of events leading up to it. This would enable investigators to understand how the attack occurred, including the specific line of code and memory zone the attack attempted to exploit.
An example of such prevented attack alert is shown below:
In the screenshot above, Sternum runtime protection running on a router device prevented a heap memory corruption attack (Heap Double Free) and generated the security alert shown above. The alert notified the SOC about the prevented attack and provided detailed information for deep investigation, including source IP of the originated attack, addresses of the corrupted memory and code, and timeline of key events in the device preceding the attack.

In response to the enduring challenges posed by state-sponsored cyber actors, Sternum’s on-device solutions offer a transformative approach. With seamless integration, comprehensive protection, and real-time threat detection capabilities, Sternum’s platform equips organizations to effectively defend against known and emerging threats in the evolving cybersecurity landscape.

About Sternum:

Sternum is an embedded platform built for connected devices. By augmenting every device with runtime security and granular observability, Sternum provides world’s leading device manufacturers with built-in security, significant business insights, and continuous in-field product and fleet monitoring, enabling them to improve operational efficiency, deliver secure products, and achieve business excellence.
Learn more about Sternum

JUMP TO SECTION

Enter data to download case study

By submitting this form, you agree to our Privacy Policy.