The Latest Sandworm Botnet Attack Shows Why Firewalls Can’t Do Zero Trust

US Attorney General Merrick Garland announced Wednesday that US officials have disrupted a two-tiered global botnet of thousands of infected firewall devices allegedly controlled by the threat actor called Sandworm, who have been previously connected to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). The attack operation effectively converted the infected firewalls into malicious hosts to be used for command and control of the botnet.

Sandworm has a long history of globally disruptive malicious cyber activity, and are attributed with such campaigns as NotPetya in 2017 and attacks against the Winter Olympics and Paralympics in 2018. This latest botnet is known as CyberBlink, and is an evolution of the VPNFilter botnet framework. VPNFilter was the fourth-most popular IoT malware payload in Zscaler ThreatLabz’ 2021 study of IoT devices, despite its operations being severely disrupted by the US Justice Department in 2018.

In a statement, the US Justice Department said that they “copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.” 

The threat actor targeted firewalls built by WatchGuard and ASUS, both of whom released guidance on how to detect and remediate issues related to the malware. Despite the remediation work done by the Justice Department, as of mid-March, the DOJ said “a majority of the originally compromised devices remained infected.”

When Firewall Security Backfires

The CyberBlink botnet is just the latest example of why firewalls are inadequate for modern enterprise security. 

Firewalls are designed to keep threats out by securing the network perimeter. This is based on an outdated “castle-and-moat” security model that relies on implicit trust: everything inside of the perimeter is trusted, and everything outside of the perimeter is untrusted. But firewalls are vulnerable to exploits just like any other device. Internet-connected firewalls, such as the ones used in this attack, are easily discoverable by any attacker with an internet connection, giving adversaries easy access. 

It’s horrifying to think of a security tool not just failing, but actually being used as a host for malicious activity. But having the device taken over for use in a botnet is not nearly the most damaging potential consequence to a victim organization.

Firewalls rely on networks by design, and in fact force network connections – either physically in an office, over MPLS from a branch, or remotely via VPNs. Once an attacker is on the network, they have all the access that your legitimate users have, and can move laterally to network assets or downstream devices. This allows the delivery of malware and ransomware, theft of data, or access to applications. 

“These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks,” the Justice Department explained.

64% of security decision-makers feel that firewalls are unable to prevent lateral movement within the network. Source: Virtual Intelligence Briefing (ViB) Networks Security Survey 2021

Firewalls don’t even have to be exploited to be vulnerable – often they can be bypassed outright. With more than 80 percent of attacks now happening over encrypted channels, inspecting encrypted traffic is more critical than ever. However, firewalls and their pass-through architectures are not designed to inspect encrypted traffic inline, making them incapable of identifying and controlling data in motion and data at rest. As a result, many businesses allow at least some encrypted traffic to go uninspected, increasing the risk of cyberthreats and data loss.

Additionally, organizations no longer operate within a predefined perimeter that can be easily ring-fenced with firewalls. Applications, users, and data are everywhere, and are too-often exposed to the internet where they can be exploited by malicious actors. Virtual firewalls and other cloud-based perimeter tools attempt to secure these use cases, but are no different from their physical hardware counterparts—the location of the firewall moves from the data center to the cloud, but the overall security model remains the same, and carries the same security, scalability, and performance downsides. Even worse: by putting virtual machines (VMs) in the cloud, you are actually expanding the attack surface outward, making it possible for attackers to exploit your cloud assets.

A Better Approach: Zero Trust

Just about every security vendor these days will tell you that they enable “zero trust,” because they know it’s what organizations need to protect their distributed businesses from increasingly sophisticated threat actors. 

As NIST states it, “Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.” 

Based on the above definition, firewalls by their very nature of network reliance cannot do zero trust. Any concept of a ‘trusted network’ is in direct opposition to zero trust principles. And by using security models that include implicit trust, you’re taking on unnecessary risk.

A true zero trust architecture connects your users only to the data and applications that they need, without exposing anything else. Establishing a zero trust architecture requires visibility and control over the environment's users and traffic, including that which is encrypted; monitoring and verification of traffic between parts of the environment; and strong multifactor authentication (MFA) methods beyond passwords, such as biometrics or one-time codes.

In a zero trust architecture, a resource's network location is no longer the biggest factor in its security posture. Instead of rigid network segmentation, your data, workflows, services, and such are protected by software-defined microsegmentation, enabling you to keep them secure anywhere, whether in your data center or in distributed hybrid and multicloud environments.

The Zscaler Zero Trust Exchange

Zscaler delivers zero trust with its cloud-native platform, the Zscaler Zero Trust Exchange. Built on proxy architecture, the Zero Trust Exchange directly connects users to applications, and never to the corporate network. 

The Zero Trust Exchange sits as a policy enforcer and decision maker in between endpoints or other entities that are trying to connect (at the bottom of the below graphic) and the resources that they are trying to connect to, such as the internet and applications (at the top). The Zero Trust Exchange applies policy and context in a variety of ways to come to an enforcement decision, then brokers authorized connectivity to the requested resource.

This architecture makes applications non-routable entities which are invisible to potential attackers, so your resources can’t be discovered on the internet. It reduces the attack surface, prevents lateral movement, inspects and protects all traffic, and stops sensitive data from leaving to suspicious destinations.

The Zero Trust Exchange delivers cloud-native, transparent zero trust access—offering seamless user experience, minimized cost and complexity, increased visibility and granular control, and enhanced performance for a modern approach to zero trust security. Zscaler’s leading Zero Trust Network Architecture (ZTNA) is one of the reasons that we were rated highest in execution in the 2022 Gartner® Magic Quadrant™ for Security Service Edge (SSE). 

For more on this topic, watch this webinar: Why Firewalls Cannot do Zero Trust. You'll learn what zero trust is, what it isn’t, and how you can reduce your risk of falling victim to attacks like CyberBlink.