Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cisco. Show all posts
VoIP
Cisco Data Breach Employee Data Information Security Multi-Factor Authentication (MFA) SMS Supply chain vulnerability third party VoIP

Cisco Duo raises awareness over a breach in third-party data security, revealing the exposure of SMS MFA logs.

 

In the ever-evolving landscape of cybersecurity, safeguarding sensitive information and ensuring secure access to corporate networks are paramount concerns for organizations worldwide. Recently, Cisco Duo, a leading provider of multi-factor authentication (MFA) and Single Sign-On services, found itself grappling with a significant breach that shed light on the evolving threats confronting modern enterprises. 

On April 1, 2024, Cisco Duo's security team sent out a warning to its extensive customer base regarding a cyberattack targeting their telephony provider, which handles the transmission of SMS and VoIP MFA messages. According to reports, threat actors leveraged employee credentials acquired through a sophisticated phishing attack to infiltrate the provider's systems. 

Following the breach, the attackers successfully obtained and extracted SMS and VoIP MFA message logs linked to specific Duo accounts, covering the timeframe from March 1, 2024, to March 31, 2024. The ramifications of this breach are deeply concerning. While the provider assured that the threat actors did not access the contents of the messages or utilize their access to send messages to customers, the stolen message logs contain data that could be exploited in targeted phishing campaigns. 

This poses a significant risk to affected organizations, potentially resulting in unauthorized access to sensitive information, including corporate credentials. In response to the breach, Cisco Duo swiftly mobilized, collaborating closely with the telephony provider to conduct a thorough investigation and implement additional security measures. The compromised credentials were promptly invalidated, and robust measures were instituted to fortify defenses and mitigate the risk of recurrence. 

Additionally, the provider furnished Cisco Duo with comprehensive access to all exposed message logs, enabling a meticulous analysis of the breach's scope and impact. Despite these proactive measures, Cisco Duo has urged affected customers to exercise heightened vigilance against potential SMS phishing or social engineering attacks leveraging the stolen information. Organizations are advised to promptly notify users whose phone numbers were contained in the compromised logs, educating them about the risks associated with social engineering tactics. 

Furthermore, Cisco has emphasized the importance of promptly reporting any suspicious activity and implementing proactive measures to mitigate potential threats. This incident serves as a stark reminder of the persistent and evolving threat landscape faced by organizations in today's digital age. As reliance on MFA and other security solutions intensifies, proactive monitoring, regular security assessments, and ongoing user education are indispensable components of an effective cybersecurity posture. 

Moreover, the Cisco Duo breach underscores the broader issue of supply chain vulnerabilities in cybersecurity. While organizations diligently fortify their internal defenses, they remain susceptible to breaches through third-party service providers. Hence, it is imperative for businesses to meticulously evaluate the security practices of their vendors and establish robust protocols for managing third-party risks. 

As the cybersecurity landscape continues to evolve, organizations must remain agile, adaptive, and proactive in their approach to cybersecurity. By prioritizing robust security measures, fostering a culture of cyber resilience, and fostering close collaboration with trusted partners, organizations can effectively mitigate risks and safeguard their digital assets in the face of evolving threats.
Read more »
Zero Trust
Cisco Cisco Security CISO CISO perspective Cyber Security Identity Market Security Solutions Zero Trust

Cisco: Leadership Awareness Fuels the Booming Identity Market


The latest research conducted by Cisco Investments with venture capital firms reveals that most CISOs believe complexity in tools, number of solutions and technical glossaries are among the many barriers to zero trust. 

It has been observed that around 85% of the IT decision-makers are now setting identity and access management investments as their main priority, rather than any other security solution. This is stated in the CISO Survival Guide published by Cisco Investments, the startup division of Cisco, along with the venture capital firms Forgepoint Capital, NightDragon, and Team8.

Interviews with Cisco customers, chief information security officers, innovators, startup founders, and other experts led to the creation of the 'guide', which examined the cybersecurity market in relation to identity management, data protection, software supply chain integrity, and cloud migration.

From 30,000 feet up: More interoperability, less friction, and data that is genuinely relevant and understandable for decision-makers, according to interviewees, are the most essential requirements.

The main spending priorities of the report were fairly evenly distributed, with user and device identity, cloud identity, governance, and remote access receiving the most mentions from CISOs. 

Cloud security turned out to be the primary concern, with a focus on the newly emerging field of managing cloud infrastructure entitlements.

Demands of CISOs: Ease of Use, Holistic Platforms, CIEMs

The three main areas of identity access management, clouds, and data that CISOs believe are most concerning are:

  • The fragmented world of security silos is because of the lack of unified platforms for IAMs, identity governance and administration, and privileged access control. 
  • Enterprise clients are embracing cloud service providers' offerings for managing cloud infrastructure entitlements.
  • The CISOs were against the use of acronyms since they were bothered by the overuse of acronyms like CIEM.

Moreover, the authors of the Cisco Investment Study note that “This trend imposes cycles for CISOs to vet and unpack these purportedly new categories, only for them to discover they are a rehash of existing solutions.”

Top Motivators Will Look for Management Solutions 

Apparently, some top motivators cited by CISCOs will be investing in identity management solutions for the management of user access privileges, identity compliance, and the swift expansion of companies' threat surfaces.

Here, we are mentioning some of the changes that the IT decision-makers look forward to in the next-generation identity platforms: 

  • Ease of integration (21% of those polled). 
  • Platform-based solution, versus single-point or endpoint offerings (15%). • Ratings from independent analysts (15%). 
  • Price (11%). 
  • Market adoption (11%). 
  • Simplicity of deployment and operations (10%). 
  • Ability to deploy at scale quickly (9%). 
  • Ability to add features easily (8%).     

Read more »
Vulnerabilities and Exploits
Akira Ransomware Cisco COTS Cyberattacks CyberCrime Data Loss LSASS Malicious Attacks MFA Ransomware VPN Vulnerabilities and Exploits

Akira Ransomware Unleashes a New Wave of Attacks via Compromised Cisco VPNs

 


The Cisco Network Security Division is aware of reports suggesting that malicious individuals are infiltrating organizations through Cisco VPNs that are not configured for multi-factor authentication with the Akira ransomware threat. In some instances, threat actors are targeting organizations that do not configure multi-factor authentication for their VPN users. Some instances have been observed where threat actors are targeting organizations that are not doing so. 

It has been verified by several cybersecurity firms that Cisco VPN products are being targeted with ransomware, and there are reports that the perpetrators are members of a relatively new gang known as Akira who have perpetrated the attack. 

Typically, this ransomware campaign is targeted at corporate entities to gain sensitive information about them and make money through charging ransoms as a means of obtaining this sensitive information. All members of Akira have to do to access their accounts is to log in to the VPN service by using their Akira account details. 

As part of Cisco's investigation of similar attack tactics, the company has actively collaborated with Rapid7. Thanks to Rapid7 for providing Cisco with a valuable collaboration over the last few months. To provide secure, encrypted data transmission between users and corporate networks, Cisco VPN solutions are widely adopted across a wide range of industries, primarily by employees who work remotely and rely on these solutions to do so. 

The Akira Ransomware Attack 


As of March 2023, there have been multiple instances of the Akira ransomware. To attack VMware ESXi servers, the group developed an encryptor for Linux that, like many other ransomware gangs, targets this server type.

If the ransom demands are not met, the threat actors responsible for the Akira ransomware will employ a variety of extortion strategies and they will run a website using the Tor network (with an IP address ending in .onion) that lists victims and the information they have stolen from them. To begin negotiations, victims are instructed to contact the attackers via a TOR-based website, through a unique identifier provided in the ransom message, that can be used to contact them. 

It was first discovered by Sophos researchers in May that the ransomware gang was abusing VPN accounts to breach a network with the use of "VPN access using Single Factor authentication." A person known as 'Aura', who responded to multiple Akira attacks as part of the Akira operation, shared on Twitter further information about how he and other incident responders dealt with incidents that were carried out using Cisco VPN accounts that were not protected by multi-factor authentication. 

Akira is a malicious program that targets not only corporations but also educational institutions, real estate, healthcare, manufacturing, as well as the financial sector. As part of its encryption capabilities, the Linux versions of Akira ransomware make use of the Crypto++ library to enable the encryption process on the target device. Akira offers only a limited number of commands, but there are no options to shut down VMs before encrypting them using Akira. 

With the -n parameter of the command, there is still the possibility of the attacker modifying the encryption speed and the chance that the victim's data can be recovered. Consequently, if the encryption speed is high, there is a slim chance that the victim who is hiding the data will be able to recover it with the help of a decryption tool. 

The first indication of Akira's activities was picked up by a cybersecurity firm based in the US in March 2023, called Arctic Wolf. Their research shows that small and medium-sized businesses worldwide have been the main target of attackers and that they have paid particular attention to the US and Canada in particular. Akira, as well as Conti's operators, have also been linked between the researchers. 

There was a recent report from the SentinelOne WatchTower, shared privately with BleepingComputer, that looked at the same attack method and speculated that Akira may have exploited a newly discovered vulnerability in Cisco VPN software that may be able to bypass authentication in the absence of the multi-factor authentication mechanism. 

In leaked data posted on the Akira group's extortion page, SentinelOne found evidence that the ransomware group used Cisco VPN gateways. At least eight instances were observed that displayed Cisco VPN-related characteristics, which shows that the ransomware gang is continuing to use Cisco VPN gateways as part of their ongoing extortion scheme. 

Implementing VPNs Without MFA


As a general rule, when an attacker tries to target VPNs or any other type of network services or applications, the first stage of their attack is to exploit an exposed service or application. In many cases, attackers focus on the fact that there is no multi-factor authentication (MFA) or there is a known vulnerability in VPN software in the form of software that has multi-factor authentication. 

Once the attackers have gained access to a target network, they attempt to breach the network using LSASS dumps (Local Security Authority Subsystem Service) to obtain credentials that will enable them to move further within the network and raise privileges if necessary. 

There have also been reports that this group has been using other tools, such as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, or creating minidump files, to gather further intelligence about or pivot within the target network, as well as using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf tools (COTS). 

Moreover, SentinelOne researchers observed that Akira operators maintained access to compromised networks by using the legitimate open-source remote access tool RustDesk which works similarly to RustDesk. It has been announced that cybersecurity company Avast has released a free decryptor that can be used by victims of the Akira ransomware to restore their valuable data without having to pay a ransom.

It was decided by the threat actors to encrypt their encryptors by patching them. By doing so, they would prevent victims from using them to recover data that was encrypted by the newer version of the encryption. Business users prefer Cisco VPN products due to their reliability and ease of use. 

Data transmission between networks/users can be made more secure with this technique, which is relied upon by organizations. Those who work in a hybrid or remote environment are expected to comply with it as a matter of course. That is why there might be a desire on the part of threat actors to exploit the vulnerability. Data loss and computer extortion attempts from ransomware operators can be prevented by organizations remaining vigilant and ensuring foolproof digital security measures.
Read more »
ZIP File
Bitdefender Cisco Crypto Data Breach Decrypter Email Encryption Malicous Files ZIP File

Free MortalKombat Ransomware Decryptor Released

An open-source universal decryptor for the newly discovered MortalKombat malware, which encrypts files, has been made available by the Romanian cybersecurity firm Bitdefender. The virus has been employed on dozens of victims in the United States, United Kingdom, Turkey, and the Philippines, as per a recent Cisco analysis.

Emails with malware ZIP attachments containing BAT loader scripts are sent to random users by MortalKombat distributors. When the script is run, it will download and run the Laplas Clipper and ransomware binaries on the computer.

Although it has been identified since 2010, Xorist is disseminated as a ransomware constructor, enabling online threat actors to design and alter their own variant of the malware. The MortalKombat decryptor is a standalone executable that doesn't require installation on affected devices. The user may optionally choose a specific place holding backed-up encrypted data. It offers to scan the entire filesystem to find files infected by MortalKombat.

In addition, Bitdefender said that the malware has a clipboard-monitoring feature that targets users of cryptocurrencies particularly. The emails include references to expired cryptocurrency payments and attachments that resemble CointPayments transaction numbers but conceal the malware payload. The ransomware, which encrypts all of a PC's data, including those in virtual machines and the recycle bin, is downloaded by the software after its launch. It takes the victim's background and replaces it with a Mortal Kombat 11 image, hence the name.

In a study by PCrisk, Cisco discovered a leaked version of the Xorist builder, where the builder interface options closely mirrored an actual Xorist ransomware building interface. The creator creates an executable ransomware file that the attackers can further modify. Notably, MortalKombat was used in recent attacks by an unidentified financially motivated malicious attacker as a part of a phishing operation targeted at multiple companies.

Read more »
Security Approach
Application Security Cisco Cyber Security DecSecOps IT IT Companies Organization security Security Approach

Utilizing an Integrated Approach for Application Security


Among every industry and organizations, application security has emerged as a progressively complex and challenging issue. Over the past few years, the rapid innovation in this field has resulted in the increase of attack surfaces, significantly where firms have shifted to modern application stacks on cloud-based security. Attack surfaces have also been expanded by the increased deployment of the Internet of Things (IoT) and connected devices, as well as by new hybrid working patterns. 

The volume and sophistication of cybercrime attacks have sharply increased at the same time, causing concerns inside IT departments. According to the most recent study from Cisco AppDynamics, the shift to a security approach for the full application stack, 78% of technologists believe that their company is susceptible to a multi-stage cybersecurity attack that would target the entire application stack over the course of the following 12 months. Indeed, such an attack might have catastrophic results for brands. 

The major problem for IT teams is the lack of the right level of visibility and insights in order to recognize where new threats are emerging across a complicated topology of applications. More than half of engineers claim that they frequently find themselves operating in "security limbo" since they are unsure of their priorities and areas of concentration. 

IT teams can safeguard the complete stack of modern apps throughout the entire application lifecycle by using an integrated approach to application security. It offers total protection for applications across code, containers, and Kubernetes, from development to production. Moreover, with coupled application and security monitoring, engineers can assess the potential business effect of vulnerabilities and then prioritize their responses instead of being left in the dark. 

Moving to a Security Approach for the Full Application Stack 

In order to improve the organization security, tech experts are recognizing the need for adopting a security strategy for the entire application stack that provides comprehensive protection for their applications from development through to production across code, containers, and Kubernetes. 

Moreover, IT teams are required to integrate their performances and security checks to gain a better understanding of the way security flaws and incidents could impact users and organizations. Tech experts can assess the significance of risks using severity scoring while taking the threat's context into account thanks to business transaction insights. This entails that they can give priority to threats that pose a risk to an application or environment that is crucial for conducting business. 

Due to the complexity and dynamic nature of cloud-native technologies, as well as the quick expansion of attack surfaces, IT teams are increasingly relying on automation and artificial intelligence (AI) to automatically identify and fix problems across the entire technology stack, including cloud-native microservices, Kubernetes containers, multi-cloud environments, or mainframe data centers. 

AI is already being used for continuous detection and prioritization, maximizing speed and uptime while lowering risk by automatically identifying and blocking security exploits without human interaction. Also, more than 75% of technologists think AI will become more crucial in tackling the issues their firm has with speed, size, and application security skills. 

To safeguard modern application stacks, companies must encourage much closer IT team collaboration. With a DevSecOps strategy, security teams analyze and evaluate security risks and priorities during planning phases to establish a solid basis for development. This adds security testing early in the development process. 

IT teams can be far more proactive and strategic in how they manage risk with a comprehensive approach to application security that combines automation, integrated performance, security monitoring, and DevSecOps approaches. A security strategy for the entire application stack can free engineers from their impasse and enable them to create more secure products, prevent expensive downtime, and advance into the next innovation era.  

Read more »
Vulnerabilites and Exploits
Cisco Cisco devices Command injection vulnerability Malicious Code Security Flaws Trellix Vulnerabilites and Exploits

All You Need to Know About the Cisco Command-Injection Bug


A security flaw has been discovered in Cisco gear used in data centers, large enterprises, industrial facilities, and smart city power grids that could give hackers unrestricted access to these devices and wider networks. 

Trellix researchers, in a report published on February 1st reveals the bug, one of two flaws discovered, impacts the following Cisco networking devices: 

  • Cisco ISR 4431 routers 
  • 800 Series Industrial ISRs 
  • CGR1000 Compute Modules
  • IC3000 Industrial Compute Gateways 
  • IOS XE-based devices configured with IOx 
  • IR510 WPAN Industrial Routers 
  • Cisco Catalyst Access points 

One bug — CSCwc67015 — was discovered in code which is not yet released. Apparently, it has the capability to allow hackers to execute their own code, and possibly replace the majority of the files on the device. 

The second bug (allegedly more malicious) — CVE-2023-20076 — found in production equipment, is a command-injection vulnerability which could enable unauthorized access and remote code execution (RCE). Despite Cisco's barriers against such a situation, this would have required not only complete control of a device's operating system but also persistence through any upgrades or reboots. 

According to Trellix, since Cisco networking equipment is being operated around the globe in data centers, enterprises, and government organizations, including its most common footprints at industrial facilities, this makes the impact of the vulnerabilities more significant. 

“In the world of routers, switches, and networking, Cisco is the current king of the market[…]We would say that thousands of businesses could potentially be impacted,” says Sam Quinn, senior security researcher with the Trellix Advanced Research Center. 

The Latest Cisco Security Flaws 

According to Trellix, the two flaws are a result of a shift in how routing technology work. On these miniature-server-routers, network administrators may now install application containers or even entire virtual systems. Along with great functionality, this increased complexity will also lead to a broader attack surface. 

"Modern routers now function like high-powered servers[…]with many Ethernet ports running not only routing software but, in some cases, even multiple containers," the authors of the report explained. 

Both CSCwc67015 and CVE-2023-20076 roots from the router's advanced application hosting environment. 

In terms of CSCwc67015, "a maliciously packed programme could bypass a vital security check while uncompressing the uploaded application" in the hosting environment. The study aimed to safeguard the system from CVE-2007-4559, a 15-year-old path traversal vulnerability in a Python module that Trellix itself had discovered in September. 

The flaw CVE-2023-20076, however, also makes use of the Cisco routers' support for virtual machines and application containers. In this particular case, it has to do with how admins pass commands to start their applications. 

The researchers identified that the 'DHCP Client ID' option inside the Interface Settings was not properly being sanitized, granting them root-level access to the device and enabling them to "inject any OS command of our choosing." 

Adding to this, the authors of the report highlight how "Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets." 

However, they showed in a proof-of-concept video how the command-injection problem might be exploited to gain total access, enabling a malicious container to withstand device reboots or firmware updates. There are now only two options for removal: doing a complete factory reset or manually identifying and eradicating the malicious code. 

Furthermore, in a concluding remark, the Trellix researchers have advised organizations to watch out for any suspicious containers installed on relevant Cisco devices, and recommended that companies that do not operate containers to disactivate the IOx container framework completely. 

They highlighted that "organizations with impacted devices should update to the newest firmware immediately" as being the most crucial step to follow. 

Moreover, users are advised to apply the patch as soon as possible, in order to protect themselves from the vulnerabilities.  

Read more »
Routers
360 Netlab Cisco CVE vulnerability Cyber Security HTTP Attacks RCE Flaw Routers

Cisco Fixes a Major Issue in Small Business Routers


Several end-of-life (EoL) VPN routers are affected by a critical authentication bypass flaw that Cisco alerted customers. The issue has publicly available attack code. Hou Liuyang of Qihoo 360 Netlab discovered the security hole (CVE-2023-20025) in the internet management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

CVE-2023-20025 validation of user input within incoming HTTP packets could enable an unauthorized remote attacker to bypass authorization on an affected system. An attacker could send false HTTP requests to the router, bypass authentication, and get root access to the operating system due to a flaw where user input within inbound HTTP packets is not properly validated.

The second vulnerability, identified as CVE-2023-20026, could enable remote code execution (RCE), but in order to exploit it, an attacker must have access to the device in question. As a result, the bug is graded medium and has a CVSS score of 6.5.

According to Cisco, the flaws do not need to be exploited in tandem by attackers and are independent of one another. However, it would be simple to exploit an authentication bypass with a remote code execution flaw that first requires attackers to be able to authenticate.

An effective mitigation, as per Cisco, is to stop remote administration of the routers and block access to ports 443 and 60443, making the routers only reachable through the LAN interface, even though there are no fixes for the issues. Despite the routers were stopped, researchers found that the installed base still exists. Out-of-date equipment frequently remains in commercial settings even after it has been disconnected, providing a fertile target for cyber attacker's.

As per Mike Parkin, senior technical engineer at Vulcan Cyber, the Cisco small business routers afflicted by such flaws still see pretty broad usage, even they are all finally end of term.  A difficulty is that the devices are frequently used by people who may not have the money to replace them or by smaller firms with limited resources.

SMB routers are widely used, since many users now work from home or hybrid offices, not just SMBs that are affected. The susceptible product could be used by branch offices, COEs, or even home offices.



Read more »
Security Resilience
Cisco Company Safety Cyber Security Security Resilience

Cybersecurity Resilience Now a Top Priority, as Companies Say Security Incidents Impacted Business Operations


The study done by Cisco included recognizing top seven success factors responsible for the security resilience of a particular firm. These factors were classified on the basis of culture and environment and solution-based business security. The study was based on a survey accomplished with the co-operation of more than 4,700 participants, responding from 26 countries. 

Resilience has emerged as an apex priority to companies, since at least 62 percent of the organizations surveyed reported having encountered a security event that negatively impacted business in the last two years. The most prominent types of security incidents include network or data breaches, network or system outages (51.1 percent), ransomware events (46.7 percent) and distributed denial of service attacks (46.4 percent). 

The instances consequently resulted in severe repercussions that were significant for both the company involved and the ecosystem of businesses they interact with. The impacts significantly involved IT and communications interruption (62.6 percent), supply chain disruption (43 percent), impaired internal operations (41.4 percent) and lasting brand damage (39.7 percent). 

With such high stakes, 96 percent of the executives involved in the report’s survey, unsurprisingly mentioned that security resilience is a priority to them. The study as well emphasized the key objectives of security resilience for security specialists and their teams, that is to evade any security incident, and mitigate losses when it takes place. 

The Seven Success Factors of Security Resilience 

The Cisco report this year additionally established a methodology in order to generate a security resilience score for the surveyed firms, identifying the seven success factors. Organizations with these factors were apparently amongst the top 90th percentile of the robust businesses. While organizations that did not comprise the same were in the bottom 10th percentile of the performers. 

The study's findings supported the fact that security is in fact a human activity because leadership, corporate culture, and resource availability have a significant influence on resilience: 

• Organizations reporting insignificant security support from the C-suite scored 39 percent lower than the ones with stronger executive support 

• Organizations supporting a significantly better security culture scored 46 percent higher on the average than the one that did not. 

• Businesses that keep additional internal employees and resources in hand to respond to incidents saw a 15% increase in resilient results. 

Additionally, businesses as well needed to pay attention to minimizing the complexities faced while transitioning from an on-premises to a fully cloud-based environment. 

Eventually, the implementation and maturity of these advanced solutions offer significant impacts over the resilient outcomes: 

• Organizations reporting implementation of a mature zero trust model saw a 30 percent increase in resilience scores, compared to those that did not. 

• Enhanced extended detection and response capabilities have resulted in a remarkable 45 percent increase for organizations that reported witnessing no detection and response solution. 

• Converting networking and security to a mature, cloud-delivered secure access services eventually led to a 27 percent increase in security resilience scores.  

Read more »
User Privacy
Cisco Cyber Defence Data Breach ICO Identity Theft United Kingdom User Privacy

Companies are at Risk From Remote Workers Losing Thier Laptops

 

Data thieves can steal a laptop from a coffee shop table, a lost property bin, an unlocked locker, your desk at work, or even your luggage on a crowded commuter train, and it's far away when you first realize it's gone. They are difficult to identify and trace, and because most individuals carry computers, it is simple to steal without anybody knowing. Many data theft events are simply crimes of opportunity rather than deliberate attacks, and stolen laptops make an excellent target.

Organizations are penalized a total of £26 million, according to data compiled by Cisco Systems, after employees misplaced company-owned laptops and phones.

The Information Commissioner's Office has collected over 3,000 reports of missing devices with user data during the past two years. Businesses are far more prone to be penalized than companies that have been the target of ransomware hackers if employees' misplaced laptops and phones consist of consumer information.

The majority of organizations are putting in place their cyber defenses, yet many do not consider their staff to be a threat to company data. But a major aspect of cyber security preparation is searching within the organization for potential insider threats. It might be challenging to tell whether a staff member has genuinely used company systems or if they are attempting to assault the company.
  
According to data protection legislation, the loss of a device containing or having access to the personal data of customers or suppliers must be reported to the ICO. As per Lindy Cameron, the CEO of the National Cyber Security Centre, ransomware is one of the most severe cybersecurity risks in the UK.

Martin Lee, technical lead for cybersecurity at Cisco, warned that office workers who are unable to resume their usual commute may see an increase in lost or stolen devices that carry important company data. Businesses in the UK have been investing heavily to ensure that their corporate networks are impenetrable because of the increased awareness of cyber threats brought on by rising data breaches. 



Read more »
User Privacy
Cisco Cyber Security data security Russia-Ukraine War Safety Measures User Privacy

CISO Discuss Main Safety Concerns

 

In terms of cyber threats, 2022 was a crucial year. Enterprises are under increased pressure to enhance their security operations in order to stay up with the republic hackers and skilled cybercriminals who have been encouraged by the Russia-Ukraine conflict.

Frank Kim, a professional and fellow of SANS Institute, has joined YL Ventures as the organization's new full-time CISO-in-residence. In order to offer assistance and direction as companies develop their cybersecurity solutions and expand their businesses, YL Ventures links startup entrepreneurs with CISOs.

Former CISO of the SANS Institute and founder of ThinkSec, a security consulting and CISO consultancy firm, Kim will focus on the financial implications of enhancing security in his new position.

An increasing number of users are worried about data security, particularly how securely organizations may use, share, and exploit data. The key to encouraging and facilitating the adoption and use of data, looking at future revenue streams for businesses. It is justified in being a top priority for CISOs because it has grown to be such a crucial component of the company and a highly profitable target for attackers. Kim said, "We have to stay up with the changing and moving data in the modern, dynamic corporate climate with M&As and consolidation."

Top characteristics of a future chief data security officer:

Exhibit strategic focus
The most effective will approach problems from a business standpoint as opposed to a technical or tactical one. They present themselves as visionary leaders rather than firefighters who are only called in during emergencies.

Assess opportunity and risk
Risk need not always be nasty or destructive, but the risk that is not handled can be. If the CISO insists that all risk is bad and must be eliminated, they risk losing the support of their colleagues and impeding forward-thinking initiatives.

Permits the display of leadership ability
The organization as a whole and the security sector esteem next-gen CISOs for their charisma, ingenuity, connections, and respectability. They never miss a chance to highlight the benefits information security has for the company.

Possesses business skills, strengthens trust, and demonstrates empathy
Through routine interaction and cooperation, they should contribute to increasing the trust of their team members, clients, partners, and other company stakeholders.






Read more »
Vulnerabilities and Exploits
Cisco CSRF Remote Hacking Vulnerabilities and Exploits

Cisco Patched High Severity Bugs in Networking and Communications Products


Flaws found in Cisco

Various flaws in the API and web-based management interface of Cisco TelePresence Video Communication Server (VCS) Software and Cisco Expressway Series Software can permit remote actors to dodge certificate authentication or execute cross-site request forgery attacks on targeted devices. 

About the first bug

The first bug, tracked as CVE-2022-20814, is an improper certification validation problem, a remote, unauthorized actor can activate it to access critical information via a man-in-the-middle attack.

A bug in the certificate validation of Cisco TelePresence VCS and Cisco Expressway-C could permit a malicious, remote actor to have unauthenticated access to sensitive information. 

The flaw is due to no validation of the SSL server certificate for an impacted device while it builds a connection to a Cisco Unified Communications Manager device. 

The Cisco advisory says: "An attacker could exploit this vulnerability by using a man-in-the-middle technique to intercept the traffic between the devices and then using a self-signed certificate to impersonate the endpoint. A successful exploit could allow the attacker to view the intercepted traffic in clear text or alter the contents of the traffic.” 

About the second bug

The second vulnerability, tracked CVE-2022-20853 is cross-site request forgery (CSRF) that can be compromised to launch a denial of service (DoS) state by luring the victim to open a specially crafted link. 

"A vulnerability in the REST API of Cisco Expressway Series and Cisco TelePresence VCS could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.” states the advisory. 

“This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the REST API to follow a crafted link. A successful exploit could allow the attacker to cause the affected system to reload."

The Cisco PSIRT did not say anything about attacks in the wild exploiting these bugs or any public announcements. 




Read more »
Malware dropper
Cisco Cisco Talos Job Scam Malicious actor malware Malware dropper

Cobalt Strike Beacon Using Job Lures to Deploy Malware

Cisco Talos researchers have detected a new malware campaign that is using job lures to deploy malware. The threat actors are weaponizing a year-old remote code execution flaw in Microsoft Office, infecting victims with leaked versions of Cobalt Strike beacons. 

According to the researchers, the attacks were discovered in August 2022. It begins with phishing emails regarding the U.S. Government's job details or a New Zealand trade union. The emails comprise of a multistage and modular infection chain with fileless, malicious scripts. 

On opening the attached malicious Word file, the victim was infected with an exploit for CVE-2017-0199, a remote code execution vulnerability in MS Office, that allows the threat actor to control the infected systems. As a result, the attacker deploys a chain of attack scripts that leads up to the Cobalt Strike beacon installation. 

"The payload discovered is a leaked version of a Cobalt Strike beacon[...]The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic" states Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer in a new analysis published on Wednesday. 

In addition to discovering the Cobalt Strike beacon as the payload in this campaign, the researchers have also observed the usage of the Redline information-stealer and Amadey botnet executables as the payloads. 

The Modus Operandi has been called “highly modularized” by the experts, the attack stands out for it leverages Bitbucket repositories to deploy malicious content that serves as a kickoff for downloading a Window executable, responsible for the installation of Cobalt Strike DLL beacon, says the Cybersecurity researchers. 

"This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory[...]Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain." states the researchers. 

Considering the growing phishing and malware attacks, the Cisco Talos team suggested users protect themselves with measures, such as updating their software and not opening any attachments in unsolicited messages. Besides, the team also suggests that administrators monitor their network security. 
Read more »
VPN
Cisco Data Breach LAPSUS$ MFA Russian Hackers Supply Chain Attack VPN

Ransomware Exposed Stolen Data From Cisco on Dark Web

Yanluowang ransomware Gang has published Cisco Systems' stolen data on the dark web and following the data leak, Cisco confirmed that the data was stolen from its network during an intrusion that took place in May. 

Cisco Security Incident Response (CSIRT) conducted an investigation wherein it was found that the attackers acquired control of a personal Google account that had the credentials saved in the browser. The threat actors compromised these credentials to launch voice phishing attacks. The idea behind the attacks was to lure the targeted employee into accepting the MFA notification. 

Cisco revealed in a report published in August that the firm's networks had been infiltrated by the Yanluowang ransomware after hackers gained access to an employee's VPN account. The company further asserted that the only information taken was employee login information from Active Directory and non-sensitive files saved in a Box account.

Once the threat actors obtained the employee's Cisco credentials, the hackers employed social engineering and other techniques to get beyond multi-factor authentication (MFA) and gather more data.

After gaining initial access, the hackers registered a list of new devices for MFA, authenticated effectively to the Cisco VPN, and dropped multiple tools in the victim network including RATs such as LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as per Security Affairs. 

Over the weekend, Cisco said in an update that "the content of these files matched what we have detected and released.  We continue to see no effect on the business, including Cisco goods or services, confidential customer data or sensitive employee data, copyrights, or supply chain activities, which is consistent with our previous examination of this incident."

The researchers at the cybersecurity firm eSentire linked Yanluowang with "Evil Corp" (UNC2165), the Lapsus$ gang, and FiveHands malware (UNC2447).

The hacked Google account of an employee that had enabled password synchronization through Google Chrome and saved their Cisco details in the browser allowed the thieves to initially access the Cisco VPN.

The leader of Yanluowang ransomware told BleepingComputer that they had stolen thousands of files totaling 55GB from a cache that contained sensitive information including technical schematics and source code. The hacker did not offer any evidence. The only thing they provided was a screenshot showing access to what seemed like a development system. 

Erich Kron, security awareness advocate at security awareness training company KnowBe4 implies that it goes unsaid that Cisco decided against paying the ransom demanded by the ransomware group, which resulted in the stolen data being posted. 


Read more »
Hades Ransomware
Cisco Cobalt Strike Cyber Security Hades Ransomware

Infrastructure Used in Cisco Hack is the same used to Target Workforce Management Solution Firm


Hackers Attack Organization using Cisco Attack Infrastructure 

Experts from cybersecurity firm eSentire found that the attack infrastructure used in recent Cisco hack was also used in targeting a top Workforce management corporation in April 2022. 

They also observed that the attack was executed by a threat actor called as mx1r, who is an alleged member of the Evil Corp affiliate cluster called UNC2165.

What is UNC2165?

The UNC2165 is in action since 2019, it was known for using the FAKEUPDATES infection chain (aka UNC1543) to get access to victims' networks. 

Experts observed that FAKEUPDATES was also used as the initial infection vector for DRIDEX infections which were used to execute BITPAYMER or DOPPELPAYMER in the final stage of the attack. 

Hades ransomware was also used

Earlier, the UNC2165 actors also used the HADES ransomware. As per eSentire, the hackers accessed the workforce management corporation's IT network via stolen Virtual Private Network (VPN) credentials. 

The experts found various underground forum posts, from April 2022, where mx1r was looking for VPN credentials for high-profile organizations. 

They also found posts on a Dark Web access broker auction site where a threat actor was buying VPN credentials for big U.S companies. 

Experts also find Cobalt Strike 

The researchers also discovered the attackers attempting to move laterally in the network via a set of red team tools, this includes Cobalt strike, network scanners, and Active Domain crawlers. 

The attackers used Cobalt Strike and were able to have initial foothold and hands-on-actions were quick and swift from the time of initial access to when the attacker could enlist their own Virtual Machine on the target VPN network. 

eSentire researchers also noticed the attacker trying to launch a Kerberoasting attack (cracking passwords in Windows Active Directory via the Kerberos authentication protocol) which is also in line with the TTPs of the Evil Corp affiliate/UNC2165. 

eSentire experts discovered the attack

TTPs of the attack that attacked the workforce management corporation are similar with Evil Corp, while the attack infrastructure used matches that of a Conti ransomware affiliate, who has been found using Hive and Yanlukwang ransomware. eSentire traces this infrastructure cluster as HiveStrike. 

"It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp. Given that Mandiant has interpreted UNC2165´s pivot to LockBit, as an intention to distance itself from the core Evil Corp group, it is more plausible that the Evil Corp affiliate/UNC2165 may be working with one of Conti’s new subsidiaries. Conti’s subsidiaries provide a similar outcome – to avoid sanctions by diffusing their resources into other established brands as they retire the Conti brand,” eSentire report concludes. “It’s also possible that initial access was brokered by an Evil Corp affiliate but ultimately sold off to Hive operators and its affiliates.”



Read more »
Russian Hackers
Cisco Command and Control(C2) Crypto Mining Data Breach PowerShell RedLine Stealer Russian Hackers

Hacker's Spread ModernLoader, XMRig Miner Malware

 


During March and June 2022, Cisco Talos researchers discovered three distinct but connected campaigns that were spreading various malware to victims, including the ModernLoader bot, RedLine info-stealer, and cryptocurrency miners.

The hackers spread over a targeted network via PowerShell,.NET assemblies, HTA, and VBS files before releasing further malware, like the SystemBC trojan and DCRat, to enable different stages of its exploits, according to a report by Cisco Talos researcher Vanja Svajcer.

Cisco Talos further said that the infections were caused by a previously unidentified but Russian-speaking spyware, that used commercial software. Users in Bulgaria, Poland, Hungary, and Russia were among the potential targets. 

The first stage payload is an HTML Application (HTA) file that executes a PowerShell script stored on the command-and-control (C2) server to start the deployment of interim payloads that eventually use a method known as process hollowing to inject the malware.

ModernLoader (also known as Avatar bot), a straightforward.NET remote access trojan, has the ability to download and run files from the C2 server, run arbitrary instructions, acquire system information, and alter modules in real-time. 

Additionally, the actors dispersed across a targeted network using PowerShell,.NET assemblies, HTA, and VBS files before releasing additional malware, such as the SystemBC trojan, and DCRAT, to carry out various operations related to their activities.

It is challenging to identify a specific adversary behind this behavior because the attackers used various commercially available tools, according to Cisco Talos.

Despite the lack of clarity surrounding attribution, the business reported that threat actors used ModernLoader as the final payload in all three campaigns. This payload then functioned as a remote access trojan (RAT) by gathering system data and delivering further modules.

In addition, two older attacks from March 2022 were discovered by Cisco's analysis. These campaigns use ModerLoader as its principal malware C2 communication tool and also spread other malware, such as XMRig, RedLine Stealer, SystemBC, DCRat, and a Discord token stealer, among others. 

Days prior to the publication of the piece, the corporation hosted a webinar in which it reaffirmed its cybersecurity support for Ukraine in honor of the nation's Independence Day.
Read more »
Yanluowang Ransomware
Cisco Data Breach LAPSUS$ MFA VPN Yanluowang Ransomware

Ransomware Gang Hacks Cisco

The Yanluowang ransomware organization broke into Cisco's business network in late May and stole internal data, the company said in a statement.

Hacker's compromised a Cisco employee's credentials after taking over a personal Google account where credentials saved in the victim's browser were being synced, according to an investigation by Cisco Security Incident Response (CSIRT) and Cisco Talos.

Cisco claims that an attacker targeted one of its employees and was only successful in stealing files from a Box folder linked to that employee's account and employee authentication information from Active Directory. According to the company, the data kept in the Box folder wasn't sensitive.

The Yanluowang threat actors hijacked a Cisco employee's personal Google account, which contained credentials synchronized from their browser, and used those credentials to enter Cisco's network.

Through MFA fatigue and a series of sophisticated voice phishing assaults carried out by the Yanluowang gang under the guise of reputable assistance businesses, the attacker persuaded the Cisco employee to accept multi-factor authentication (MFA) push alerts.

Cisco has linked the attack to an initial access broker with ties to Lapsus$, the gang that attacked several major corporations before its alleged members were apprehended by law enforcement, as well as threat actor UNC2447, a group with ties to Russia known for using the ransomware FiveHands and HelloKitty. The Yanluowang ransomware group has also been connected to the initial access broker.

In actuality, the Yanluowang ransomware organization claimed responsibility for the attack and said it had stolen about 3,000 files totaling 2.8Gb in size. According to the file names the hackers have disclosed, they may have stolen NDAs, source code, VPN clients, and other data.

The attack did not use ransomware that encrypts files. After being removed from Cisco's systems, the hackers did email Cisco executives, but it didn't contain any explicit threats or demands for ransom.






Read more »
Scammers
Cisco counterfeit Cyber Fraud fake Fraudulent Mail Fraud Scam Scammers

CEO of Multiple Fake Companies Charged in $1bn Counterfeit Scheme to Traffic Fake Cisco Devices

 

Last Friday, the US Department of Justice (DOJ) revealed that a Florida citizen named Ron Aksoy had been arrested and alleged with selling thousands of fake and counterfeit Cisco goods over 12 years. 

Aksoy, also known as Dave Durden, would have operated at least 19 firms based in New Jersey and Florida, as well as at least 15 Amazon stores, around 10 eBay storefronts, and many additional corporations worth more than $1 billion. Aksoy faces three counts of mail fraud, four counts of wire fraud, and three counts of trafficking in counterfeit products. 

According to court records, the fraudulent firms purchased tens of thousands of counterfeit Cisco networking equipment from China and Hong Kong and resold them to consumers in the United States and across the world, fraudulently advertising the items as new and authentic. Chinese counterfeiters modified earlier, lower-model goods (some of which had been sold or dumped) to look to be authentic versions of newer, improved, and more expensive Cisco gear. 

As a result, the fraudulent and counterfeit items had severe performance, functionality, and safety issues, costing users tens of thousands of dollars. According to the indictment, between 2014 and 2022, Customs and Border Protection (CBP) confiscated approximately 180 shipments of counterfeit Cisco equipment being transported to the Pro Network Entities (the fraudulent firm name under which Aksoy operated) from China and Hong Kong. 

In response to some of these seizures, Aksoy would have filed fraudulent official papers to CBP using the pseudonym "Dave Durden," which he also used to contact with Chinese co-conspirators. The entire enterprise reportedly generated over $100 million in income, with Aksoy keeping a sizable portion while his co-conspirators received the remainder. Potential victims have been advised to get in touch with authorities. 

The DOJ has developed a publicly available list of Pro Network firms, as well as the accused criminal's eBay and Amazon stores.
Read more »
Vishing
CAPTCHA Security Cisco Cyber Security FBI Japan Malicious actor Microsoft 365 Phishing emails URL Vishing

Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.
Read more »
Vulnerabilities and Exploits
Bugs Cisco Critical Flaws Flaws High Severity Flaws Security Security patches Vulnerabilities and Exploits

11 High-Severity Flaws in Security Products Patched by Cisco

 

This week, Cisco released its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). 

The semiannual bundled advisories include a total of 19 flaws in Cisco security products, with 11 of them being classified as "high severity." 

CVE-2022-20746 (CVSS score of 8.8) is the most serious of these, an FTD security vulnerability that occurs because TCP flows aren't appropriately handled and might be exploited remotely without authentication to generate a denial of service (DoS) condition. 

“An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory. 

With the introduction of FDT versions 6.6.5.2 and 7.1.0.1, the IT giant has addressed the problem. Fixes will also be included in FDT releases 6.4.0.15 and 7.0.2, which will be released next month. Several more DoS vulnerabilities, all rated "high severity," were fixed with the same FDT releases, including ones that affect ASA as well. They were addressed in ASA releases 9.12.4.38, 9.14.4, 9.15.1.21, 9.16.2.14, and 9.17.1.7. Other problems fixed by these software upgrades could result in privilege escalation or data manipulation when using an IPsec IKEv2 VPN channel.

Cisco also fixed an ASA-specific flaw that allowed an attacker to access sensitive information from process memory. Firepower Management Center (FMC) releases 6.6.5.2 and 7.1.0.1, as well as the future releases 6.4.0.15 and 7.0.2, resolve a remotely exploitable security protection bypass flaw, as per the tech giant. 

Cisco stated, “An attacker could exploit this vulnerability by uploading a maliciously crafted file to a device running affected software. A successful exploit could allow the attacker to store malicious files on the device, which they could access later to conduct additional attacks, including executing arbitrary code on the affected device with root privileges."

Fixes for eight medium-severity vulnerabilities in these security products are included in the company's semiannual bundled publishing of security advisories. Cisco is not aware of any attacks that take advantage of these flaws.
Read more »
Vulnerabilities and Exploits
Cisco DoS Vulnerabilities email security Malicious Emails Vulnerabilities and Exploits

Malicious Emails have the Potential to Bring Down Cisco Email Security Appliances

 

Cisco notified customers this week that its Email Security Appliance (ESA) product is vulnerable to a high-severity denial of service (DoS) vulnerability that may be exploited using specially crafted emails. The CVE-2022-20653 vulnerability affects the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA. It is remotely exploitable and does not require authentication. 

This vulnerability is caused by the software's insufficient error handling in DNS name resolution. An attacker could take advantage of this flaw by sending specially crafted email messages to a device that is vulnerable. A successful exploit could allow the attacker to make the device unavailable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a denial of service (DoS) issue. Repeated attacks could render the gadget fully inoperable, resulting in a persistent DoS condition, said the company. 

This vulnerability affects Cisco ESA devices running a vulnerable version of Cisco AsyncOS Software with the DANE functionality enabled and downstream mail servers configured to deliver bounce messages. 

Customers can prevent exploitation of this vulnerability by configuring bounce messages from Cisco ESA rather than downstream reliant mail servers. While this workaround has been deployed and confirmed to be functional in a test environment, users should evaluate its relevance and efficacy in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation deployed may have a negative impact on network functioning or performance due to inherent customer deployment circumstances and limitations.

"Cisco has released free software updates that address the vulnerability described. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license," the company said. 

Cisco has given credit to numerous persons who worked with the Dutch government's ICT services company DICTU for reporting the security flaw. According to the networking behemoth, there is no evidence of malicious exploitation. 

Cisco also issued two advisories this week, informing users of medium-severity issues impacting Cisco RCM for Cisco StarOS software (DoS vulnerability), as well as Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (XSS vulnerability).
Read more »
Subscribe to: Posts (Atom)