In the last quarter of 2019, researchers at ClearSky uncovered an attack operation that they dubbed the “Fox Kitten Campaign.” Iranian actors used this offensive to gain persistent access into the networks of dozens of companies operating in Israel and around the world across the IT, telecommunication, oil and gas, aviation, government and security sectors. These individuals were successful in their efforts because they employed a variety of attack vectors. Overall, ClearSky found that their most effective attack vector was the exploitation of “1-day” vulnerabilities in unpatched VPN solutions for the purpose of infiltrating and compromising critical corporate information storages. You don’t hear about “1-day” vulnerabilities all that much. But these “N-day” weaknesses, as they’re more commonly called, are a security concern that all organizations should have on their radar. Otherwise, they could leave themselves exposed to attack campaigns such as Fox Kitten. With that possibility in mind, this blog post will begin by providing a definition of what “N-day” vulnerabilities are and by differentiating them from zero-day flaws. It will then discuss how these bugs pose particular security risk for industrial control systems (ICSes) over other environments. Finally, it’ll conclude by providing guidance on how organizations can strengthen their ICSes against n-day vulnerabilities.
What Are N-day Vulnerabilities?
Dark Reading explains that N-day vulnerabilities are a type of security weakness about which a software developer or hardware manufacturer already knows. These companies might have already issued a patch for these types of flaws, or they could be in the process of creating one or rolling one out. Subsequently, digital attackers don’t need to do any hard lifting. They can usually find out all they need to know about the vulnerability by reviewing the patches using a process called binary diffing or by scouring public disclosure documents for active exploits. It’s a plain to see that N-day bugs are not the same as zero-day vulnerabilities. Per Stack Overflow, the latter involves attacks in which malicious actors exploit undisclosed flaws about which software vendors or hardware manufacturers have no knowledge. These vulnerabilities consume considerably more time and resources to uncover. Even so, they enable attackers to get the jump on companies. In staging a zero-day attack, they leave companies with little choice other than to create a patch as quickly as possible to prevent additional attacks. Along this logic, a zero-day vulnerability becomes an N-day whenever the security community assigns a Common Vulnerabilities and Exposures (CVE) identifier. It’s then that the affected software vendor or hardware manufacturer works to release a patch. This process usually involves working with third-party software providers to implement a fix, as well; in the event these entities don’t issue a patch, users and organizations alike could still be vulnerable. Even when that fix is released, however, malicious actors can still use an N-day as part of their attacks for years on end. (Think EternalBlue.) This longevity is buoyed by all the possibilities of the dark web. Nefarious individuals can sell and download exploits for N-day flaws off of underground web marketplaces, enabling even inexperienced actors to craft effective attacks.
Why ICSes in Particular Are So Vulnerable to N-days
Any large network is at risk of an N-day attack. Even so, Dark Reading reported that industrial environments are particularly vulnerable because of four specific circumstances that set them apart from other networks. These factors are as follows:
- Question of Availability: Organizations can’t take their ICSes offline for an update as easily as they could with their IT systems. Disruption to these systems could undermine the critical infrastructure on which thousands of businesses and households depend, for instance. It could even threaten public safety. With that said, organizations have an incentive to keep their industrial systems available all the time.
- Lack of Standardization: ICSes aren’t the same as IT systems. The former use proprietary protocols that make it difficult if not impossible for industrial systems to automatically communicate with one another. As a result, organizations usually need to apply patches in a manual process that’s unique to each vendor.
- Lack of Patch Propagation: Acknowledging the different proprietary protocols employed by industrial systems, patches tend to not propagate between vendors that use shared code. Vendors in the industrial space apply software fixes according to different timetables. Consequently, even when a patch is released, organizations’ industrial assets could still be vulnerable and not have access to a working fix.
- Extended Lifetime: Organizations with industrial assets typically deploy industrial assets for years at a time. In doing so, these systems commonly outlive their support window. This means that vendors don’t make security updates available to older products even when they release a software fix.
Red Balloon Security kept these issues in consideration when it conducted a years-long study of N-day vulnerabilities in ICS devices. Per Energy Central, the researchers uncovered hundreds of N-day flaws in the process. Some of those vulnerabilities were over two years old, while many had a CVSS security score of at least 7/10. These “critical” flaws gave attackers the ability to gain remote access to parts of an organization’s industrial environment and to then replicate the effects of Industroyer, TRITON, BlackEnergy as well as other well-known attacks. Worst of all, many of those vulnerabilities were low complexity in that they required little effort from malicious actors to craft a working exploit.
How to Defend against N-day Vulnerabilities
According to Dark Reading, organizations with ICSes can’t adequately address the threat of N-day flaws with a reactive approach to patching. They need to bake networking monitoring tools and other security controls into their industrial environments using a proactive security approach. Learn how Tripwire’s solutions can help in this regard.