Small business, mighty attack surface


By Douglas McKee · August 9, 2022

If given the chance to name the first five businesses that come to mind, what would they be? Maybe if you are close to the security industry you might suggest names like Microsoft, Apple or Google. Maybe your mind may drift to giants such as Disney, Coca-Cola, Amazon or Walmart. What if we consider what would be top of mind for threat actors, would the list be the same? In 2020 the U.S Small Business Administration reported that there are 6 million small businesses with fewer than 500 employees in contrast to around 20K large businesses. Small business made up for over 10 million new jobs in the last decade compared to around 5 million for large businesses. While we may forget about this massive attack surface, our adversaries have not.

According to RiskRecon, during 2020 and 2021, data breaches at small businesses globally jumped 152%, while during the same time period breaches at larger organizations rose 75%. Just like a contractor wouldn’t use the same tools, techniques, and tactics to dig a post hole as they would for a swimming pool – malicious actors adjust what they target to ensure they effectively compromise the vast landscape of small business.

Recently CISA released an advisory about People’s Republic of China (PRC) state-sponsored exploitation of network devices typically used in Small Office and Home Office (SOHO) settings. Included in this list is CVE-2020-8515, related to a DrayTek small business router. At Trellix, our vulnerability research team is constantly working to anticipate high value targets for well-known threat actors going after the enterprise sector. Today, we released brand new research disclosing a new zero-day vulnerability, CVE-2022-32548, which is a pre-authentication attack that allows for complete control of the Vigor 3910, DrayTek’s latest small business router.

Why does yet another vulnerability in a SOHO router matter? Because in 2019, 360Netlab Threat Detection System observed two different attack groups using two zero-day vulnerabilities targeting various DrayTek Vigor enterprise router. Because in March of 2022, Barracuda reported small businesses are three times more likely to be targeted by cybercriminals than larger companies. Because just last month the ZuoRAT malware was observed infecting numerous SOHO router manufacturers, including ASUS, Cisco, DrayTek and NETGEAR. In short, it matters because major threat actors like the PRC are dictating it matters.

Edge devices themselves, such as routers and firewalls are rather uninteresting, however these devices are the gateway that protect the soft underbellies of companies. Once compromised, it’s the open doorway into the rest of a network that is enticing for the adversary to perform the same level of research our team performs. A compromised edge device can lead to intellectual property theft, 

sensitive customer or employee data loss, access to camera feeds, the opportunity to simplify the deployment of ransomware and in some cases a foothold into a network for years to come.

When talking specifically about small business, Chad Paalman, the CEO of NuWave Technology Partners indicated, “They [small business leaders] assume that if they have a firewall, then they have a padlock on the door and no one can get in. They also assume that if their security has been outsourced to a managed service provider (MSP), log monitoring is happening, or the service includes intrusion detection.” This misinformation or mindset is dangerous to small businesses. It is imperative to understand you are a target no matter the size or type of business. Data continues to demonstrate that not only is this space a target but often a more likely target. It is critical for SOHO and SMB users to understand their networks, stay update to date on all vendor patches and immediately report breeches to law enforcement. Additionally, the support of 3rd party security auditing like the release of our DrayTek research today further strengthens the entire industry. We would like to complement DrayTek’s response and support of our research, clearly demonstrating their security first mindset and desire to help protect the SOHO market.

This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy | Trellix. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability.


Please enter your comment!
Please enter your name here