Tag: cisco | Page 2

New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks

December 26, 2023/in Internet Security

Dec 15, 2023NewsroomBotnet / Advanced Persistent Threat

A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.

Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022.

“The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years,” the company said.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it’s too late. Register for our webinar today.

Join Now

The two clusters – codenamed KV and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China.

While the bots part of JDY engages in broader scanning using less sophisticated techniques, the KY component, featuring largely outdated and end-of-life products, is assessed to be reserved for manual operations against high-profile targets selected by the former.

It’s suspected that Volt Typhoon is at least one user of the KV-botnet and it encompasses a subset of their operational infrastructure, which is evidenced by the noticeable decline in operations in June and early July 2023, coinciding with the public disclosure of the adversarial collective’s targeting of critical infrastructure in the U.S.

Microsoft, which first exposed the threat actor’s tactics, said it “tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.”

The exact initial infection mechanism process used to breach the devices is currently unknown. It’s followed by the first-stage malware…

Source…

Cisco patches IOS XE zero-days used to hack over 50,000 devices

October 29, 2023/in Internet Security

Cisco has released a patch to fix two high-severity flaws that were being abused in the wild to take over vulnerable endpoints.

The first fixed version is 17.9.4a, and IT admins are urged to apply it immediately and secure their premises. The patch can be found in the company’s Software Download Center.

News recently broke of hackers exploiting a critical vulnerability in some Cisco devices to gain full admin control of entire networks. The vulnerability was found in the Web User Interface of Cisco IOS XE software connected to the public internet. So, whatever Cisco endpoint (routers, switches, etc.) that runs the software, has HTTP and HTTPS Server features enabled, and is connected to the internet, was vulnerable to full device takeover.

Identifying compromised devices

It was reported that some 80,000 endpoints were affected by the flaw at the time, which is tracked as CVE-2023-20198, and carries a severity rating of 10. The second vulnerability is tracked as CVE-2023-20273, and carries a severity score of 7.2.

A threat actor that manages to successfully exploit these two flaws can create an account with privilege level 15 access, which gives them full access to the compromised device and allows them to install even more malware. “This is a critical vulnerability, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory,” researchers from Talos said at the time.

Initial reports also claimed someone had been exploiting the flaw for a month before it was uncovered, but no one knows who, or against whom.

While the researchers initially saw up to 80,000 vulnerable endpoints, the number dropped over the last weekend to “just a few hundred”, BleepingComputer reported. Cybersecurity experts from For-IT said the malicious code of thousands of devices was “altered to check for an Authorization HTTP header value before responding”. In other words, the analysis method was wrong. Using a different method showed almost 40,000 compromised devices.

Via BleepingComputer

More from TechRadar Pro

Source…

Kazakhstan-based hackers targeting gov’t websites in Central Asia, Cisco says

October 25, 2023/in Computer Security

Hackers believed to be based in Kazakhstan are targeting other members of the Commonwealth of Independent States in a wide-ranging espionage campaign, according to new research.

Cisco’s Talos group has spent months tracking YoroTrooper — a hacking group focused on espionage that first emerged in June 2022. Researchers said the group’s targets, use of Kazakh currency, and fluency in Kazakh and Russian is part of what led them to believe the hackers are based in Kazakhstan.

YoroTrooper appears to have performed defensive actions in protecting the Kazakhstani state-owned email service and have only ever attacked the Kazakh government’s Anti-Corruption Agency.

Asheer Malhotra, a Cisco Talos threat researcher, told Recorded Future News that the group has actively tried to disguise its operations to make it seem like the attacks are coming from Azerbaijan in an attempt to “generate false flags and mislead attribution.”

“In terms of their modus operandi, their tactics and tools aren’t very sophisticated, however YoroTrooper has still enjoyed a substantial amount of success compromising targets in CIS [Commonwealth of Independent States] countries over the past two years, owing to their aggressive attempts to target their victims. Further, the threat actor shows no signs of slowing down in spite of Cisco Talos’ initial disclosure detailing YoroTrooper’s activities earlier this year,” Malhotra said.

Cisco Talos tracked attacks involving institutions and officials in Azerbaijan, Tajikistan, Kyrgyzstan, Uzbekistan, using VPN services to make it look like their hacks come from Azerbaijan.

The hackers compromised multiple state-owned websites and accounts belonging to government officials between May 2023 and August 2023.

Most of the attacks start with phishing emails and deploy custom-made malware that allows the group to steal data and credentials.

Countries attacked by YoroTrooper. Image: Cisco Talos

Researchers found the hackers using Russian in their attempts to debug their tools while also visiting numerous websites written in Kazakh. In June the hackers began using Uzbek in their code, another language spoken widely in Kazakhstan.

The hackers use cryptocurrency…

Source…

Cisco Patches Two Dangerous Zero-Day Vulnerabilities

October 24, 2023/in Internet Security

The vulnerabilities, one of which was rated critical and one of which was rated highly severe, affect Cisco IOS XE software.

Homepage of cisco website on the display of PC. — Image: mehaniq41/Adobe Stock

Cisco has patched two zero-day vulnerabilities that exposed Cisco IOS XE system software hosts to attackers. These vulnerabilities affected devices running the Cisco IOS XE software, such as routers and switches.

The update, including the patches, is available at Cisco’s software download portal. Customers who do not have a Cisco service contract or cannot obtain fixed software through their third-party vendors can contact Cisco support.

Jump to:

Cisco Threat Intelligence Group releases fixes and new curl command for IOS XE vulnerability

Fixes for CVE-2023-20198 and CVE-2023-20273 started to roll out on October 22, the Cisco Talos Intelligence Group wrote in a threat advisory updated on October 23.

The fixes appear in the 17.9.4a update to the 17.9 Cisco IOS XE software release train, according to the U.S. Cybersecurity & Infrastructure Security Agency.

CVE-2023-20198 allowed attackers to exploit a vulnerability in the Web UI of Cisco IOS XE software to gain privilege level 15 access. CVE-2023-20273 allowed an attacker with privilege level 15 access to inject commands with root privileges. In the Common Vulnerability Scoring System, CVE-2023-20198 is rated critical, and CVE-2023-20273 is rated high severity.

On October 22, Cisco provided a new curl command to check for infected devices. The curl command can be found in the threat advisory.

On October 23, the Cisco Talos Intelligence Group identified an updated version of the implant that allows the attackers to execute arbitrary commands at the system level or IOS level (Figure A). The fixes address the updated version of the implant. This updated implant, plus Fox-IT’s discovery that attackers may have hidden themselves over the last few days shows that the vulnerability is still being exploited.

Figure A

The updated malicious implant used as part of the exploitable vulnerability. Image: Cisco Talos Intelligence Group

The IOS XE vulnerabilities were first discovered on September 28

Cisco first began to suspect something was wrong on…

Source…

Tag Archive for: cisco

Cisco Threat Intelligence Group releases fixes and new curl command for IOS XE vulnerability

The IOS XE vulnerabilities were first discovered on September 28