A cluster of vulnerabilities known as Ripple20 pose a major threat to IT environments, according to new research by a Seattle enterprise cyber-analytics company.
The Ripple20 threat is a series of 19 vulnerabilities found in a low-level TCP/IP software library developed by Treck Inc. called the Treck networking stack. The library is used by device manufacturers across a host of different industries, including utilities, academia, government, and healthcare.
The vulnerability series (CVE-2020-11901) was first discovered by the JSOF threat research organization in June of this year.
Yesterday, a threat research team at ExtraHop issued a warning over the potential impact of Ripple20 after finding out that 35% of IT environments are vulnerable to the threat.
“The ExtraHop threat research team studied customer data and discovered vulnerable software in one out of every three IT environments,” wrote researchers.
“With industry average dwell times hovering around 56 days, these devices are a ticking time bomb if left alone.”
The researchers predicted that this exploit will be widely used by attackers as an easy backdoor into networks the world over.
“The devices that utilize the Treck stack are far-reaching with the potential for vast exploitation,” said Jeff Costlow, CISO at ExtraHop.
“A threat actor could conceivably use this vulnerability to hide malicious code in the embedded devices for an extended period of time, and traditional endpoint or perimeter security solutions like EDR or NGFW will not have visibility into this set of exploits.”
Researchers recommended that device manufacturers and security vendors take immediate action and deploy mitigation tactics against the threat.
Specific actions advised include monitoring for scanning activity, isolating vulnerable devices, patching, and removing devices from services if a patch is unavailable.
“Vendors utilizing the Treck Software were given early access to the threat details so they could start producing patches immediately,” wrote researchers.
“Unfortunately, a large number of devices have discontinued support, which has made it difficult to account for all vulnerable device makes and models.”
Concerned organizations should stay vigilant for unusual activity such as lateral movement and privilege escalation that can indicate a Ripple20 exploit is occurring.