Threat actors are increasingly targeting edge devices known as load balancers, according to new data from Action1 which revealed a record exploitation rate for the category over a three-year period.
The security vendor assessed various categories of products from 2021-2023, using NVD and cvedetails.com data to calculate the ratio of exploited vulnerabilities to total vulnerabilities.
It found that while load balancers overall were fairly secure, they were disproportionately targeted by threat actors – leading to a record 17% exploitation rate over the period. This rose to 100% for NGINX and 57% for Citrix products.
“Vulnerabilities in load balancers pose significant risks, as a single exploit in these systems can provide broad access or disruption capabilities against targeted networks,” the report warned.
“While the total number of vulnerabilities reported for load balancers over the three-year period analyzed accounts for only 0.2% of the total number of vulnerabilities analyzed, the impact of these severe vulnerabilities, as exemplified by the infamous CitrixBleed, demonstrates that high exploitation rates of vulnerabilities can be more significant indicators than their number.”
CitrixBleed (CVE-2023-4966) is a critical zero-day vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances which was exploited en masse months before the vendor published an advisory in October 2023.
Notorious ransomware group LockBit exploited the bug in attacks on big-name organizations including Boeing, the Industrial and Commercial Bank of China (ICBC), Allen & Overy and DP World.
Action1 also found a growing focus from threat actors on macOS and iOS over the period, with exploitation rates climbing to 7% and 8% respectively.
In 2023, Microsoft saw its exploitation rate rise to 7%, compared to 2% in 2022. Critical vulnerabilities in Office accounted for nearly 80% of the overall annual vulnerability count, Action1 claimed.
The vendor’s president, Mike Walters, argued that reports like this are increasingly important for network defenders, given well-documented delays to the processing of CVEs in the National Vulnerability Database (NVD).
“Our goal is to arm key decision makers with essential knowledge so that they can prioritize their efforts in vulnerability monitoring using alternative approaches while the traditional reliance on NVDs is challenged,” he said.
“In light of the NVD crisis, the cybersecurity community needs to share information and build stronger relationships amongst private cybersecurity firms, academic institutions, and other threat intelligence platforms to facilitate holistic and timely data sharing so that all organizations can enhance their security posture.”