RIPPLE20: FINDING VULNERABLE DEVICES AND DETECTING ATTACKS

You've probably heard about Ripple20, but why is it so significant and how will you know if your environment is affected? Ripple20 is a series of recent vulnerabilities discovered by JSOF in devices that contain the Treck networking stack. The Treck stack has been in use in embedded devices for more than twenty years. Hundreds of millions of devices in the industrial controls, networking, transportation, retail, oil and gas, medical, and other fields that use the Treck software are now                                                                        known to be vulnerable to exploits. 

 

Unfortunately, these devices can be hard to identify and even harder to patch. So what should you do if you have (or don't know if you have) Treck devices in your environment? The safest route might be to remove or replace some of these devices as often they are relatively inexpensive printers or other devices that may be aging out. That's not an easy task to be sure, and it requires an accurate inventory of affected devices. Scanning for these devices can impact your network and its performance. And what about the attackers who are in your systems scanning for these devices as well? Can you detect them? Our ExtraHop threat research team took a deep dive into Ripple20 and have outlined what you need to be looking for to detect this vulnerability. Let's step through how that works. ...read more!