Tag Archive for: cisco

Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability


Feb 16, 2024NewsroomRansomware / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that it’s being likely exploited in Akira ransomware attacks.

The vulnerability in question is CVE-2020-3259 (CVSS score: 7.5), a high-severity information disclosure issue that could allow an attacker to retrieve memory contents on an affected device. It was patched by Cisco as part of updates released in May 2020.

Late last month, cybersecurity firm Truesec said it found evidence suggesting that it has been weaponized by Akira ransomware actors to compromise multiple susceptible Cisco Anyconnect SSL VPN appliances over the past year.

Cybersecurity

“There is no publicly available exploit code for […] CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to buy or produce exploit code themselves, which requires deep insights into the vulnerability,” security researcher Heresh Zaremand said.

According to Palo Alto Networks Unit 42, Akira is one of the 25 groups with newly established data leak sites in 2023, with the ransomware group publicly claiming nearly 200 victims. First observed in March 2023, the group is believed to share connections with the notorious Conti syndicate based on the fact that the ransom proceeds have been routed to Conti-affiliated wallet addresses.

In the fourth quarter of 2023 alone, the e-crime group listed 49 victims on its data leak portal, putting it behind LockBit (275), Play (110), ALPHV/BlackCat (102), NoEscape (76), 8Base (75), and Black Basta (72).

Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by March 7, 2024, to secure their networks against potential threats.

CVE-2020-3259 is far from the only flaw to be exploited for delivering ransomware. Earlier this month, Arctic Wolf Labs revealed the abuse of CVE-2023-22527 – a recently uncovered shortcoming in Atlassian Confluence Data Center and Confluence Server – to deploy C3RB3R…

Source…

New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks


Dec 15, 2023NewsroomBotnet / Advanced Persistent Threat

A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.

Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022.

“The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years,” the company said.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it’s too late. Register for our webinar today.

Join Now

The two clusters – codenamed KV and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China.

While the bots part of JDY engages in broader scanning using less sophisticated techniques, the KY component, featuring largely outdated and end-of-life products, is assessed to be reserved for manual operations against high-profile targets selected by the former.

It’s suspected that Volt Typhoon is at least one user of the KV-botnet and it encompasses a subset of their operational infrastructure, which is evidenced by the noticeable decline in operations in June and early July 2023, coinciding with the public disclosure of the adversarial collective’s targeting of critical infrastructure in the U.S.

Microsoft, which first exposed the threat actor’s tactics, said it “tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.”

The exact initial infection mechanism process used to breach the devices is currently unknown. It’s followed by the first-stage malware…

Source…

Cisco patches IOS XE zero-days used to hack over 50,000 devices


Cisco has released a patch to fix two high-severity flaws that were being abused in the wild to take over vulnerable endpoints. 

The first fixed version is 17.9.4a, and IT admins are urged to apply it immediately and secure their premises. The patch can be found in the company’s Software Download Center.

Source…

Kazakhstan-based hackers targeting gov’t websites in Central Asia, Cisco says


Hackers believed to be based in Kazakhstan are targeting other members of the Commonwealth of Independent States in a wide-ranging espionage campaign, according to new research.

Cisco’s Talos group has spent months tracking YoroTrooper — a hacking group focused on espionage that first emerged in June 2022. Researchers said the group’s targets, use of Kazakh currency, and fluency in Kazakh and Russian is part of what led them to believe the hackers are based in Kazakhstan.

YoroTrooper appears to have performed defensive actions in protecting the Kazakhstani state-owned email service and have only ever attacked the Kazakh government’s Anti-Corruption Agency.

Asheer Malhotra, a Cisco Talos threat researcher, told Recorded Future News that the group has actively tried to disguise its operations to make it seem like the attacks are coming from Azerbaijan in an attempt to “generate false flags and mislead attribution.”

“In terms of their modus operandi, their tactics and tools aren’t very sophisticated, however YoroTrooper has still enjoyed a substantial amount of success compromising targets in CIS [Commonwealth of Independent States] countries over the past two years, owing to their aggressive attempts to target their victims. Further, the threat actor shows no signs of slowing down in spite of Cisco Talos’ initial disclosure detailing YoroTrooper’s activities earlier this year,” Malhotra said.

Cisco Talos tracked attacks involving institutions and officials in Azerbaijan, Tajikistan, Kyrgyzstan, Uzbekistan, using VPN services to make it look like their hacks come from Azerbaijan.

The hackers compromised multiple state-owned websites and accounts belonging to government officials between May 2023 and August 2023.

Most of the attacks start with phishing emails and deploy custom-made malware that allows the group to steal data and credentials.

Screen Shot 2023-10-25 at 2.54.41 PM.png
Countries attacked by YoroTrooper. Image: Cisco Talos

Researchers found the hackers using Russian in their attempts to debug their tools while also visiting numerous websites written in Kazakh. In June the hackers began using Uzbek in their code, another language spoken widely in Kazakhstan.

The hackers use cryptocurrency…

Source…