Headline
More helpful resources for users of all skill levels to help you Take a Security Action
Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
Thursday, October 19, 2023 14:10
Welcome to this week’s edition of the Threat Source newsletter.
I continue to be saddened by all the conflict in Israel and Gaza that’s still ongoing. I’ll be back with a “normal” newsletter next week, as unfortunately, there doesn’t seem to be a peaceful solution coming any time soon.
In the meantime, I just wanted to use this space again to provide a roundup of the best resources I found this week for Cybersecurity Awareness Month. Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
- The Annual Cybersecurity Attitudes and Behaviors Report 2023 (National Cybersecurity Alliance)
- 2023 Data Breach Investigations Report (Verizon)
- Cisco is continuing to invest in the future of skills certifications. Here’s how the company thinks it’ll help fill the lack of cybersecurity experts (Fortune)
- The open nature of XDR and cross-domain telemetry (Cisco Secure livestream)
- Federal Cyber Chief Tells Agencies to Tap Brakes on AI (Wall Street Journal)
- Former NSA Director: AI is ‘double-edged sword’ for cybersecurity (The Hill)
- Small-Business Cybersecurity: 20 Effective Tips From Tech Experts (Forbes)
- 5 quick tips to strengthen your Android phone security today (ZDNet)
- Fact Sheet: Improving Security of Open Source Software in Operational Technology and Industrial Control Systems (CISA)
- Cisco 2023 Consumer Privacy Survey
**The one big thing **
Cisco has identified active exploitation of a previously unknown, zero-day vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. This affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.
**Why do I care? **
Security researchers have already confirmed that threat actors have installed implants on targeted devices by exploiting this vulnerability. Up to 10,000 devices could already be affected, according to some estimates. In a worst-case scenario, the attacker could execute arbitrary code on the targeted devices.
**So now what? **
Cisco recommends in its security advisory disabling the HTTP server feature on internet-facing systems. This is consistent with, not only best practices, but guidance the U.S. government has provided in the past on mitigating risk from internet-exposed management interfaces. As this is a critical vulnerability, Talos strongly recommends affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory. As soon as a patch is available, Talos and Cisco will be informing users, who should then patch as soon as possible.
**Top security headlines of the week **
Government officials are starting to disclose the true breadth of Russia’s cyber attacks at the outset of its invasion of Ukraine. The head of the cyber division of Ukraine’s intelligence service said in a recent interview with Recorded Future that Ukraine worked with the U.S. to disrupt multiple attempts at disrupting Ukraine’s critical infrastructure in February 2022, right as Russia was launching a ground invasion of Ukraine. Sandra Joyce, the executive vice president of global intelligence at Mandiant, also said in a separate interview this week that protecting Ukraine in the initial weeks and months of the invasion was like “hand-to-hand combat.” Joyce also said that her company saw more wiper malware deployed against Ukraine in the first few weeks of the invasion than it had all of the past eight years it had partnered with Ukraine. Another top Ukrainian cybersecurity official called these attacks from Russia “nothing but a war crime.” (The Record, Yahoo! News)
Internet giant Amazon is slowly rolling out passkeys as a login method for its users. Amazon quietly added the feature under users’ account management portal to opt into setting up a passkey. This means users can login using biometric authentication on their device, such as their fingerprint or face scan. This conceivably makes it more difficult for bad actors to access their accounts unknowingly, as they’d need physical access to their device. However, this login option still does not work on Amazon’s native apps, like Prime Video or Amazon shopping, on mobile devices. And the passkey login still requires a multi-factor authentication code to be entered, which would conceivably be redundant with a passkey. A spokesperson for Amazon told news outlet TechCrunch that the company is “in the early stages of adding Passkey support for Amazon.com to give customers another secure way to access their accounts. We will have more to share soon.” (TechCrunch, Dark Reading)
Threat actors in Vietnam attempted to infiltrate U.S. government officials’ devices with spyware earlier this year, according to a new report, as well as devices belonging to a high-profile CNN anchor. The spyware was embedded in links placed in messages on the social media platform formerly known as Twitter. While the attempts appear to be unsuccessful, it does highlight the continued threat that spyware poses, specifically the Predator software, which Talos has written about previously. An Italian cybersecurity research group also recently found that bad actors were trying to spread spyware through fake national alerts in Italy. The actors have set up a fake site posing as Italy’s recently released IT Alert program for natural disasters, urging users to download an app to receive critical alerts. (Washington Post, Cyber Security Hub)
**Can’t get enough Talos? **
- Talos Takes Ep. #158: How to find the right password management solution for you
- Why logging is one of the most overlooked aspects of incident response, and how Cisco Talos IR can help
- Snapshot fuzzing direct composition with WTF
- Ransomware versus data theft
**Upcoming events where you can find Talos **
ATT&CKcon 4.0 (Oct. 24 - 25)
McLean, Virginia
Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.
misecCON (Nov. 17)
Lansing, Michigan
Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines.
**Most prevalent malware files from Talos telemetry over the past week **
SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241
MD5: a5e26a50bf48f2426b15b38e5894b189
Typical Filename: a5e26a50bf48f2426b15b38e5894b189.vir
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::1201
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440
MD5: ef6ff172bf3e480f1d633a6c53f7a35e
Typical Filename: iizbpyilb.bat
Claimed Product: N/A
Detection Name: Trojan.Agent.DDOH
SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa
MD5: 9403425a34e0c78a919681a09e5c16da
Typical Filename: vincpsarzh.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
SHA 256: 2ebfc0b6ae3e80ca4e5a3ebfa4d9d7e99818be183d57ce6fbb9705104639bf95
MD5: 2371212b783f959809647de4f476928b
Typical Filename: wzncntdmgkm.bat
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
Related news
Among the top exploited zero-day vulnerabilities were bugs found in systems from Citrix and Cisco.
This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f...
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 as part of an exploit chain. "The attacker first
A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.
By Deeba Ahmed It is unclear how long Cisco will take to release a patch. This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices
Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: IOS X Tags: remote management Tags: vulnerability Tags: CVE-2023-20198 Tags: webUI Tags: http server Tags: http secure-server Researchers have found that a recently disclosed vulnerability in Cisco IOS XE has already rendered thousands of compromised devices. (Read more...) The post Cisco IOS XE vulnerability widely exploited in the wild appeared first on Malwarebytes Labs.
Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have
By Waqas Another day, another critical vulnerability hits Cisco! This is a post from HackRead.com Read the original post: New Cisco Web UI Vulnerability Exploited by Attackers
No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory Cisco will provide updates on the status of this investigation and when a software patch is available.
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.