What do you do if someone says, there might be a zero day being used against your make/model of internet facing device (such as a VPN server)?

There’s always a challenge subject to the level of intelligence available about the specific scenario, the device and the way they function and the telemetry/capabilities you have.

So, what I’m going to do today is walk through some thought processes, this will not cover every minutia and every scenario in the world. This is meant to be broad. If you want a guide for your own firewall, make/model please speak to your vendor!

Quick Steps

• It’s commonly a management interface so if you can check if that’s open to the internet that’s a good starting point. Clearly it may be a user interface and that gets more complex. But if you don’t need to expose a management interface to the world, try to limit access to these.
• There are often indicators of compromise on the devices so things that can be useful to do:
  • Dump/Download the support files, there’s normally a feature to do this!
  • Check of new or modified user accounts, it’s common to backdoor a firewall etc. with a new local account or to reset a root password etc.
• If there’s any known paths e.g. /admin/logon etc. then you can look at parsing your logs (if you have them!)
• You might have some IP address IOCs, so check your logs for these.
• Check for strange sign ins! (you should be doing this 247/365 anyway) – thanks https://x.com/redblue_ninja
• Now this really depends, some makes/models have ssh access, some systems have ssh but the apps are containerised etc.
  • You may be able to find evidence of web shell/backdoor deployment on the disk

Key things to remember

• Having the latest firmware might not make you not vulnerable
• Updating firmware may not clean out backdoors etc. especially if new user accounts were created
• Removing the management interface from the internet after the even doesn’t solve the potential compromise problem

Summary

Black box appliance exploitation and compromises are not easy to nail down in many cases. Reducing the attack surface is always a good idea but you also should be conducting threat hunts against telemetry and if possible, checking the device configurations and disks for artefacts. It’s better to be safe than sorry when it comes to firewall and VPN appliances.