When Security Assets Become Liabilities

In the fight for sustained security, operators rely on a variety of tools and technologies to help get the job done — but without strategic alignment, consistent oversight, and proper integration, those tools can work against you. Instead of fortifying your infrastructure, they can introduce new risks, create chaos, disrupt workflows, and weaken the very systems they were supposed to protect.

Infrastructure is often built and expanded in a patchwork manner. That’s the nature of the beast. But it’s not without consequence.

Legacy tech that once served all your needs will reach its limits and need to be replaced or supplemented, at least for certain parts and purposes of the network. And it won’t always be so neatly defined. Naturally this results in a non-uniformity to the attack surface that can make it difficult to defend. But it can also result in infrastructural overlap.

For example, a given endpoint may have multiple EDRs installed. It’s not supposed to happen, but it does. If both are activated, they will conflict with each other. When this happens, administrators might inadvertently deactivate the wrong agent, or even both — and undermine overall security.

Of course, with any tool you also have the potential problem of over-confidence that can result in blindspots. EDRs, for example, are supposed to alert you to any sign of intrusion. But they’re not perfect and they can be circumvented; for instance by weaponizing remotely controlled task-schedulers or non-traditional agents that such tools may fail to register.

The fact is any time you assume you’re covered and let your guard down, you run the risk of opening you up to attacks that live off the land. Creating a resilient network, therefore takes more than stockpiling tools. It takes layers of control and oversight thoughtfully integrated to monitor and proactively address risks before they’re exploited. 

In the span of this article, we’ll detail a handful of real-world examples where security assets backfired and proved to be liabilities. But don’t despair. The goal is not to scare you off of technology, but to emphasize the need for constant vigilance, awareness, discipline, and posture management to go along with the right technology, people, and processes.

The Misfortune and Disaster of MERCURY and DEV-1084

In April 2023, a cyberattack led by MERCURY and DEV-1084 targeted hybrid cloud environments, exposing a significant risk: unintended exposure created by centralized security controls. The incursion leveraged Group Policy Objects (GPOs), a cornerstone of Microsoft’s hybrid cloud security tools. Suddenly what was supposed to be a potent mechanism for preserving security became the assailant's most effective weapon.

The breach began with compromising legitimate credentials, likely acquired through social engineering or another initial access tactic. With these credentials in hand, the attackers manipulated the inherent trustworthiness of GPOs, allowing them to distribute wiper malware throughout the local and cloud systems. The same expedience that makes GPO such a valuable security tool turned it into a particularly potent attack vector, capable of delivering harmful payloads without an ounce of resistance.

The attack by MERCURY and DEV-1084 is a poignant reminder of the need for granular and context-aware oversight — even of your security tools —  to make sure everything is working how it's meant to. 

A Complete Supply Chain Attack, Thanks to Solarwinds

For decades, SolarWinds has been a central player in IT infrastructure. Founded in 1999, its solutions have enabled businesses to monitor and optimize their networks, applications, and databases across hybrid environments.

Focusing on IT service management, misconfigured security, and data observability, SolarWinds' popular security solutions have been quickly adopted by Fortune 500 companies and federal agencies, making it a well-recognized member of tech stacks worldwide.

Among SolarWinds' offerings is Orion — a platform for network performance monitoring, server visibility, and configuration management, all managed through a centralized web interface. While serving users with success for years, Orion’s prominence made it a focal point of one of the most sophisticated cyberattacks in recent memory.

The attack began when compromised credentials granted attackers access to SolarWinds’ internal network. From there, the hackers moved laterally into the company’s software development environment, planting a backdoor named SUNBURST within a legitimate Orion DLL file.

The backdoor was distributed to the company’s customers in the course of routine software updates. Unbeknownst to users — including U.S. government agencies and prominent corporations — these updates gave intruders access to thousands of networks.

After lying dormant for weeks, SUNBURST initiated contact with its command-and-control servers, masquerading as legitimate SolarWinds traffic. This sophisticated disguise allowed attackers to operate undetected, executing remote commands, escalating privileges, stealing credentials, and exfiltrating sensitive data.

The breach remained unseen for months, granting the attackers unparalleled access to high-value systems and confidential data.

In the end, affected companies faced average costs of $12 million per organization, with U.S. users hit especially hard — wiping out some 14% of revenue for impacted organizations.

When Firewalls Fight Back — A Sophos Infiltration

Between 2018 and 2023, Chinese threat actors (APT41, APT31, and Volt Typhoon) systematically turned Sophos firewalls into their own offensive firepower — demonstrating the inherent vulnerability of over-relying on any one security mechanism.

The attackers spent years uncovering weaknesses in Sophos firewalls. Their efforts came to a head in April 2020 when they weaponized a zero-day vulnerability, CVE-2020-12271, in the XG Firewall product. This flaw allowed them to deploy Asnarök malware, facilitating unauthorized access.

While Sophos scrambled to cooperate with European law enforcement, seizing the server responsible for deploying Asnarök, the crisis was only beginning.

Initially, attackers launched widespread, indiscriminate campaigns to exploit Sophos devices wherever possible. But over time, they pivoted to targeted operations, focusing on infrastructure in the Indo-Pacific region. This shift reduced detection while maximizing impact — a recipe for disaster by any standard.

Sophos launched a persistent counteroffensive by monitoring attacker activities, identifying compromised devices, and deploying patches to mitigate malicious action. 

Sophos’ CEO, Joe Levy urged the replacement of end-of-life products — calling on security vendors to more effectively communicate end-of-life dates and on users to de-commission unsupported devices before they become liabilities.

Of course, this also served to underscore the importance of timely patch management and proactive mitigation in cases where patching is not an option or will be delayed. 

PAN-OS: Rife With Unauthorized Access

In November 2024, Palo Alto Networks’ PAN-OS — the operating system that powers its firewalls — was revealed to have a critical vulnerability, CVE-2024-0012. This flaw allowed unauthenticated attackers access to the firewall’s management interface, bypassing authentication and granting administrative privileges. What should have been an impenetrable line of defense was now an open resource for hostile actions. 

Exploiting the weakness, attackers were able to tamper with firewall configurations, deploying malicious payloads and using additional vulnerabilities like CVE-2024-9474. This companion vulnerability gave attackers administrative access to execute commands with root privileges — amplifying their destructive capabilities.

The result? Over 2,000 internet-facing Palo Alto firewalls compromised. Once infiltrated, web shells and malicious implants were installed, enabling continuous remote access to the affected systems.

Cisco’s Rush To Fix ASA ASAP

In December 2024, Cisco faced the surprising exploitation of a long-dormant vulnerability in its Adaptive Security Appliance software. CVE-2014-2120, a cross-site scripting flaw identified almost a decade earlier, was used to target the WebVPN login page. This allowed for unauthenticated remote attackers to inject malicious scripts directly into the browser context of unsuspecting users.

The flaw originated from insufficient input validation on the WebVPN login page. By manipulating unspecified parameters, attackers could inject arbitrary scripts or HTML to trigger unauthorized actions once users interacted with a malicious link.

While exploitation required real user interaction (i.e. clicking a link), successful execution could result in potential data theft, session hijacking, and further unauthorized browser actions. Despite the high stakes and available patches, many systems remained unpatched, leaving them wide open to threat actors.

Fast-forward to late 2024, when Cisco’s Product Security Incident Response Team observed renewed attempts to exploit this vulnerability in the wild. Recognizing the growing threat, the Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities catalog — urging federal agencies and organizations to address the flaw immediately.

As the saying goes, it’s only a matter of time until what was once old becomes new again. By exploiting the Cisco ASA vulnerability, bad actors turned what should have been a secure tool for remote access into an easy avenue for cyberattacks. And just like that hackers developed renewed interest and found renewed traction in a vulnerability identified 10 years earlier.

While we may perceive threats as coming in waves and think we're okay so long as we withstand the initial onslaught, the reality is more daunting. You're only ever safe from an attack vector when you take, maintain, and monitor measures to lock down the attack path.

Only with constant vigilance can your security be assured. It’s a powerful reminder of the need to proactively manage your cyber posture — leaving no stone unturned and presuming no risks safe.  

The CrowdStrike Outage — When Connectivity Becomes A Concern

It’s hard to forget that sunny day in July 2024 that suddenly turn dark when an errant  CrowdStrike install brought down millions of Windows devices. A routine update to CrowdStrike’s Falcon sensor, known for its advanced endpoint protection, turned security on its head and spiraled into a global IT disaster.

Industries spanning healthcare, aviation, and finance were at a complete standstill as millions of devices worldwide were rendered inoperable and organizations scrambled to recover.

The disruption took root when the update mistakenly flagged critical system files as malicious. Fully automated processes quarantined these files, triggering widespread system crashes. Unfortunately, the problem couldn’t be remotely resolved (unless you're a GYTPOL customer or used GYTPOL’s workaround) since manual safe mode reboot was required to delete a kernel level system file. 

This was not solely a failure of technology, but of controls. And a reminder of how fragile systems can become when intricately interconnected and inter-dependent. It’s important to maintain due operational agility — avoiding single points of failure, architectural lock-in, and  unchecked automation. 

Have Your Security Tools Made You Complacent?

Security solutions and assets are built to defend, but when left unchecked, they can become liabilities. Recent years have shown us this reality time and time again. From firewalls to endpoint protection systems and centralized management tools, trusted solutions have backfired catastrophically due to a lack of oversight into their use and environmental ramifications.

This speaks to the need for granular levers of control and the ability to not just monitor for technical flaws, failures and how the network is trafficked, but for how technology is used and configured. 

Without proactive measures, even the most trusted tools can become weak links in an organization’s defenses. To succeed, organizations should prioritize:

• Continuous configuration management to improve posture and eliminate gaps.
• A zero-trust architecture to enforce the principle of least privilege (PoLPs) and ensure all access is verified and monitored.
• Clear communication between services to eliminate blind spots and integrate tools that work cohesively across the entire infrastructure.

While EDRs, firewalls, and other standard fare tools are valuable, they are far from infallible — with limited visibility into broader dependencies and goings on potentially creating blind spots attackers can exploit.

By bridging gaps that traditional tools leave behind, GYTPOL can provide your organization with an additional layer of vigilance and guarantee that your security solutions operate in alignment (and never at cross-purposes) to ensure airtight security.