Introduction

Firewalls are often seen as the frontline defense against cyber threats, but what happens when they become the target? In a recent Tech Talk session, cybersecurity expert Dan Gunter discussed the alarming reality of firewall vulnerabilities, using the Volt Typhoon cyber intrusion report as a case study. This article explores how attackers exploit firewalls, why traditional defenses fall short, and what organizations can do to detect and prevent such threats.

The Volt Typhoon Threat: A Case Study in Stealthy Cyber Intrusions

Volt Typhoon is a Chinese-based cyber intrusion group that has been actively infiltrating both IT and industrial networks. Unlike many threat actors that deploy custom malware, Volt Typhoon operates by “living off the land,” using built-in features of Windows and other operating systems. This tactic allows them to blend seamlessly with normal network activity, making detection extremely difficult.

The group has been observed collecting valid user credentials for over five years, allowing them to bypass traditional security measures. Their approach is not about causing immediate damage but rather about establishing persistent access that can be leveraged in the future—potentially during geopolitical conflicts.

How Firewalls Become Targets

Firewalls are designed to protect networks from external threats, but ironically, they are often one of the most exposed systems in an organization. Attackers target them because:

1. They are Publicly Accessible – Firewalls and VPN gateways are often internet-facing, making them prime targets for exploitation.
2. They Contain Vulnerabilities – Like any other software, firewalls have bugs and security flaws that can be exploited.
3. They Control Network Access – Gaining access to a firewall allows an attacker to manipulate traffic, steal data, or create persistent access points.

A key example is CVE-2022-42475, a Fortinet SSL VPN vulnerability that was actively exploited. In some cases, organizations had failed to patch their systems, leaving them vulnerable for extended periods.

Tactics Used by Attackers

Volt Typhoon and other Advanced Persistent Threats (APTs) employ a variety of techniques to compromise firewalls:

• Exploiting Publicly Facing Applications (T190 Attack Pattern) – Attackers target services such as Fortinet, Pulse Secure, Netgear, Cisco, and Citrix, which are often exposed to the internet.
• Using Public and Zero-Day Exploits – Some attack methods leverage known exploits available on GitHub, while others involve zero-day vulnerabilities that vendors have not yet patched.
• Manipulating Log Files – To maintain stealth, attackers often modify or disable logging mechanisms, making it harder for defenders to detect unauthorized access.
• Establishing Outbound C2 Communications – Once inside, attackers set up Command and Control (C2) servers to communicate with compromised devices without raising suspicion.

These techniques enable adversaries to maintain long-term access while avoiding detection by traditional security tools.

How to Detect and Mitigate Firewall Compromises

Since attackers use stealthy techniques, organizations need to adopt proactive monitoring and defensive strategies to detect and prevent intrusions. Here are some recommended approaches:

1. Network Analytics & Endpoint Monitoring

• Treat firewalls as both a security device and an endpoint—monitor their activity closely.
• Look for outbound traffic anomalies, especially unusual encrypted connections that might indicate C2 communication.

2. Log Inspection & External Taps

• Since attackers may manipulate firewall logs, use external monitoring tools like Zeek (Bro IDS) and PCAP analysis to identify suspicious activity.
• Compare external and internal traffic flows to detect discrepancies that may indicate a compromised firewall.

3. Behavior-Based Detection

• Use AI-driven analytics to identify unusual firewall behaviors, such as internal network scanning or unauthorized configuration changes.
• Monitor authentication attempts—especially from accounts that haven’t been used in a long time.

4. Prioritize Patching & Vulnerability Management

• Apply security patches as soon as they are released to prevent attackers from exploiting known vulnerabilities.
• Conduct regular vulnerability scans to identify unpatched systems.

5. Strengthen Network Architecture & Segmentation

• Treat external VPN connections with caution, as compromised remote endpoints could provide attackers with network access.
• Segment critical infrastructure to limit lateral movement in case of a breach.

Conclusion: Trust, but Verify

Firewalls are essential to cybersecurity, but they are not invulnerable. The Volt Typhoon case highlights how determined attackers can exploit vulnerabilities in publicly facing applications to gain persistent access. To stay ahead of these threats, organizations must adopt a multi-layered defense strategy that includes network analytics, log inspection, behavior-based detection, and rigorous patching protocols.

Final Thought:

Cybersecurity is not just about building barriers—it’s about constantly monitoring, adapting, and thinking like an attacker. Organizations that trust but verify their security measures will be far better equipped to withstand sophisticated threats like Volt Typhoon.