Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.

A threat actor has already infected thousands of Internet exposed Cisco IOS XE devices with an implant for arbitrary code execution via an as-yet-unpatched maximum severity vulnerability in the operating system.

Cisco disclosed the flaw, identified as CVE-2023-20198, on Oct. 17, with a warning about exploit activity in the wild targeting the flaw. The bug, which has a severity rating of 10 out of 10 on the CVSS vulnerability-severity scale, is present in the Web UI component of IOS XE. 

The company said it had observed an attacker using the vulnerability to gain administrator level privileges on IOS XE devices, and then, in an apparent patch bypass, abusing an older remote code execution (RCE) flaw from 2021 (CVE-2021-1435) to drop a Lua-language implant on affected systems.

Now, those attacks appear to have a global footprint.

**Unpatched Bug Leads to 10K Infected Cisco Systems**

Cisco's security advisory noted that the company had responded to reports of unusual activity tied to the flaw from multiple customers. But the actual scope of the infections appears to be a lot higher than what was apparent from the advisory.

Jacob Baines, CTO at VulnCheck says his company has fingerprinted at least 10,000 Cisco IOS XE systems with the implant on them — and that's from scanning just half of the affected devices that are visible on search engines such as Shodan and Censys.

"From what we can tell, it doesn't not appear to be localized," Baines says. "The IPs geolocate to a wide number of countries all over the globe."

Baines says it's somewhat difficult to determine if the attacks are opportunistic or targeted. On the one hand, opportunistic attacks often involve threat actors using publicly available or researcher-developed proof-of-concept (PoC) exploits. 

But that's not what has happened with the activity targeted at CVE-2023-20198 so far, he says. "Not only did the attackers allegedly use a zero day — and perhaps a second patch bypass — but they also deployed a custom implant. That isn't opportunistic." 

Yet at the same time, the sheer number of exploited systems suggests more of an indiscriminate approach, Baines says.

**Cisco Pwning Likely From a Single Threat Actor**

The fact that the compromised Cisco IOS XE systems all have the same implant suggests that one threat actor is behind the attacks. "Because the initial auth-bypass vulnerability was — and still is unpatched —finding vulnerable targets is as simple as a Shodan query," Baines adds. Because Cisco has not made details of the vulnerability public yet, it is to ascertain how easy or not CVE-2023-20198 is to exploit, he notes.

Researchers at Detectify too on Oct. 17 reported observing what appears to be Internet-wide exploit activity targeting the Cisco zero-day vulnerability. But they believe the threat actor behind it is opportunistically hitting every affected system they can find. "The attackers seem to be casting a wide net by attempting to exploit systems without a specific target in mind first," one researcher from the firm says. The approach appears to be to "exploit everything first and then determine what is interesting." Detectify's researchers shared Baines' assessment about affected systems being trivially easy to find via search engines like Shodan.

Detectify's team only verified a relatively limited number of systems as being infected while building a test for detecting the implant for customers, the researcher says. But it is conceivable that thousands of systems have the implant, the researcher adds.

**Access Lists Are Effective Mitigation**

Cisco has not yet released a patch for the zero-day threat. But the company has recommended that organizations with affected systems immediately disable the HTTPS Server feature on Internet-facing IOS XE devices. On Oct. 17, Cisco updated its advisory to note that controlling access to the HTTPS Server feature using access lists, works as well.

"We assess with high confidence, based on further understanding of the exploit, that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation," Cisco said. When implementing access controls for these services, organization need to be cognizant of what they are doing because of the potential for interruption of production services, the company cautioned.

Cisco did not respond to a Dark Reading question about the reports about thousands of systems having the implant via the new zero-day bug. But in an emailed statement the company said it is "working non-stop" to provide a software fix. In the meantime, customers should immediately implement the steps outlined in the security advisory, the statement reiterated. 

"Cisco has nothing more to share at this time but will provide an update on the status of our investigation through the security advisory. Please refer to the security advisory and Talos blog for additional details."

Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised

The ClearFake campaign uses fake browser updates to lure victims and spread RedLine, Amadey, and Lumma stealers.

A threat actor has been abusing proprietary blockchain technology to hide malicious code in a campaign that uses fake browser updates to spread various malware, including the infostealers RedLine, Amadey, and Lumma.

While abuse of blockchain is typically seen in attacks aimed at stealing cryptocurrency — as the security technology is best known for protecting these transactions — EtherHiding demonstrates how attackers can leverage it for other types of malicious activity.

Researchers from Guardio have been tracking a campaign dubbed ClearFake over the last two months in which users are misled into downloading malicious fake browser updates from at least 30 highjacked WordPress sites.

The campaign uses a technique called "EtherHiding," which "presents a novel twist on serving malicious code" by using Binance Smart Chain (BSC) contracts from Binance — one of the world's largest cryptocurrency sites — to host parts of a malicious code chain "in what is the next level of Bullet-Proof Hosting," according to a recent post by Guardio.

"BSC is owned by Binance and focuses on contracts: coded agreements that execute actions automatically when certain conditions are met," Guardio explained in the post. "These contracts offer innovative ways to build applications and processes. Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted 'on-chain' without the ability for a takedown."

Attackers are leveraging this in their attack by hosting and serving malicious code in a manner that can't be blocked, making it difficult to stop the activity. "This campaign is up and harder than ever to detect and take down," according to the post.

Attackers turned to this tack when their initial method of hosing code on abused Cloudflare Worker hosts was taken down, the researchers noted. "They've quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain," according to the post.

**How the EtherHiding Cyberattack Works**

The attack begins when threat actors use compromised WordPress sites to embed a concealed JavaScript code that is injected into the pages, which retrieves a second-stage payload from an attacker-controlled server. From there, attackers deface websites with "a very believable overlay demanding a browser update before the site can be accessed," according to Guardio.

"Using this method, the attacker can remotely and instantly modify the infection process and display any message they want," according to the post. "It can change tactics, update blocked domains, and switch out detected payloads without re-accessing the WordPress sites."

**Blocking Blockchain Abuse**

While blockchain and other Web 3.0 technologies bring innovation, they are also rife for abuse by threat actors that are continuously adapting to leverage their benefits for nefarious activity.

"Beyond this specific exploit, blockchain can be misused in myriad ways, from malware propagation stages to data exfiltration of stolen credentials and files, all eluding traditional law enforcement shutdown methods," according to Guardio.

One simple way to block the ClearFake attack would be for Binance to disable any query to addresses already tagged as "malicious," or disable the eth\_call debug method for unvalidated contracts, according to the post. The researchers did not disclose if they contacted Binance about this potential fix.

Securing WordPress sites — which are prone to vulnerabilities and thus ripe for exploitation — also would block the gateway for threats like this to have broad victim impact, according to Guardio.

To this end, the researchers recommend protecting sites by keeping WordPress infrastructure and plugins updated, safeguarding credentials, using robust, periodically-changed passwords, and generally keeping a close eye on what's happening on sites to detect malicious activity.

'Etherhiding' Blockchain Technique Masks Malicious Code in WordPress Sites

Updating your browser when prompted is a good practice, just make sure the notification comes from the vendor themselves.

Threat actors are using cybersecurity best practices against you, hiding malware inside of fake browser updates.

They do so by seeding legitimate but vulnerable websites with malicious JavaScript. Upon loading, the code presents users with convincing browser update notifications, masking dangerous payloads.

According to a Oct. 17 report from Proofpoint, the trend began with one threat actor, TA569, and it has since been adopted by at least four different threat clusters, in what appears to be a growing and intractable new trend.

"TA569 has been very active for quite some time, and I've seen how difficult it has been for customers to understand and remediate the threat on their own," says Daniel Blackford, senior manager of threat research at Proofpoint. Because it's so effective, he adds, "other threat actors have absolutely piggybacked on it."

**Malicious Code, Hidden in Honest Websites**

Though they may vary in the particulars, each of the four threat clusters tracked by Proofpoint follow largely the same script.

First, the actors take advantage of a legitimate but vulnerable website, injecting their own malicious JavaScript code.

"It's generally very opportunistic. We have seen it across basically every industry: media, local sports associations — like kids' soccer groups — software companies, in some cases," Blackford says.

It might be an unpatched vulnerability, or a WordPress misconfiguration that provides the opening, "but it doesn't always have to be the website itself. It can be any assets that are imported into the website — any type of styling template, media player, or pretty much any third-party code," he says.

When an end user loads the website, the attackers' script runs alongside the rest of the site's various assets. Its job is to refer traffic to an attacker-controlled domain.

**The Fake Browser Update Lure**

From here, Blackford explains, "the Web inject is going to take some information about your system — you're coming from this geographic location, you're using this browser version. It can determine whether you're in some type of virtual environment or not. And if you pass all of the criteria, then it's going to reach out to that backend server and pull in the fake Update page."

The update lures are designed to look like they're coming from the browser's developers, with a clean look and relevant iconography. The following screenshots, courtesy of the security researcher Jerome Segura, capture fake updates from TA569 and another cluster, "FakeSG," also known as "RogueRaticate" (see below).

If a user falls for the trap and clicks "Update," they download malware to their computer.

If the attacker is TA569, for example, a user will download its signature "SocGholish" initial access malware. In the past, SocGholish has been used as a primer for ransomware, including WastedLocker, LockBit, Drydex, Hive, and more.

**How to Avoid Fake Browser Updates**

Employees and otherwise educated civilians are taught to avoid links and attachments in unrecognized emails or text messages. They might know to avoid a seedy-looking link, but what about a notification coming from their browser?

To suss out a real update from a fake one, Blackford urges users to pay attention to how their trusted websites and browsers typically behave, and whether anything happens that doesn't align with the usual pattern.

"Nine times out of 10, I'll go to my kid's soccer league website and see: okay, we've got a match against some other school on Wednesday, and nothing happens. And then one time, all of a sudden, I'm redirected to a page that says I'm using an old version of Chrome, click this button to update. That difference in pattern should be the trigger," he says, while admitting that "it's not easy to spot. But that's also why bad guys continue to make money hand over fist."

In the end, users shouldn't be spooked from maintaining their cybersecurity hygiene. "Updating your browser is a good security practice," Blackford maintains, "and I strongly suggest that people do it."

Watch Out: Attackers Are Hiding Malware in 'Browser Updates'

Avoid these errors to get the greatest value from your incident response training sessions.

An incident response tabletop exercise is a discussion-based practice that uses a hypothetical situation to coach a technical or executive audience through the cybersecurity incident response life cycle. During the exercise, you don't alter any technical controls nor introduce malware into the IT environment. Nevertheless, you must tailor the tabletop exercise to your organization's technical environment, industry, sector, and business objectives.

Due to the discussion-based nature, most organizations consider a tabletop exercise to be a relatively easy training session that consists of a long conversation while looking at PowerPoint slides. However, if it's not performed properly, it can be easy to lose the efficiency and value a tabletop exercise can provide.

**6 Common Tabletop Exercise Mistakes**

The following are six of the most common mistakes organizations make when doing incident response tabletop exercises.

**Not taking a social approach.** Most tabletop exercises involve between eight and 25 people. If the facilitator enables only one or two technical leaders to speak, it quickly becomes a two- or four-hour lecture, rather than a training. No one wants to be talked at for hours on end; the words go in one ear and out the other. A discussion-based approach can help ensure efficiency, but solely conversing about the current threat is where more tabletop exercises fall short.

Instead, build a social approach into your tabletop exercise and related materials. Encourage all participants to begin each discussion by brainstorming out loud, then collaborating and debating the ideas, and finally making decisions about the incident response plan — which might be deciding it's best to take no action at this time.

**Not varying the participants**. Another mistake many organizations make is including the exact same people in every tabletop exercise. There can be a lot of value in adding different teams or stakeholders for different scenarios. For example, I recently hosted a tabletop exercise that included an organization's board of directors so that they could make appropriate-level decisions and insights on the new SEC disclosure requirements. Tabletop exercises can speak to a lot of different cybersecurity-related risks, such as financial loss, legal impacts, and reputation.

Facilitators can make the exercise multidimensional by introducing the business impacts of cybersecurity incidents. For example, when facilitating a ransomware scenario with an executive audience, I try to address the organization's ability to make payroll (a problem that was recently observed in ransomware attacks against resorts and casinos), a legitimate issue that many organizations may face. This highlights ransomware's operational impacts and risks and gets the finance team more involved. Another example is inviting legal and human resources professionals to provide input for insider threat scenarios, which have multiple potential damage or risk dimensions.

**Repeatedly using the same scenario threat type.** For the past few years, organizations have most often focused on ransomware scenarios in both technical and executive tabletops. But there are many other focus areas that can be evaluated in a tabletop exercise.

Changing the threat type can help an organization be more robust, well-rounded, and resilient. If an organization is prepared for a malware incident but not an insider threat-related data breach, it remains vulnerable to various threats.

**Choosing a "doomsday" scenario.** Some tabletop exercises don't adequately gauge the scenario's impact and exaggerate the potential damage. The scenario needs to feel realistic but not be so horrible that participants feel helpless and defeated. This dampens the value of cybersecurity training, making people never want to do a tabletop exercise ever again.

The tabletop exercise should be fun, entertaining at times, and continually motivating. The scenario must be shocking enough to provide insight and challenge participants but not impossible to overcome.

**Not implementing the lessons learned.** When an organization doesn't implement the recommendations from a tabletop exercise, nearly the same exact lessons learned will come up in the next tabletop exercise. That makes the entire exercise almost wasteful of people's time.

A tabletop exercise can identify significant areas of opportunity. Always have at least one notetaker to scribe the brainstorming, collaboration, and decisions made during the exercise. Compare those notes to the lessons learned, best practices, and priorities for putting them into action and maturing the organization's cyber resilience.

**Not scoping the exercise and expectations correctly.** The last mistake many leaders make is expecting the tabletop exercise to identify all the problems or vulnerabilities in an environment. Because the tabletop exercise is based on one scenario, it can reveal risks and vulnerabilities associated with that specific threat type.

While different threat types have some common vulnerabilities and risks, different scenarios will uncover different weaknesses across people, skill sets, technology, and policies, depending upon the audience.

This is another reason it's important to change the scenario focus for each tabletop exercise: It gives the team safe, realistic exposures to the variety of threats they are working diligently every day to protect the business from.

Top 6 Mistakes in Incident Response Tabletop Exercises

HIPAA compliance does not equal security, as continuing attacks on healthcare organizations show. Medical devices need to be secured.

Connected medical devices have revolutionized patient care and experience. However, the use of these devices to handle clinical and operational tasks has made them a target for attackers looking to profit off of valuable patient data and disrupted operations. In fact, when Palo Alto Networks scanned more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations, it found that 75% of them had at least one vulnerability or security alert.

Besides being difficult to protect, these connected devices present challenges when it comes to complying with the security requirements of laws such as the Health Insurance Portability and Accountability Act (HIPAA). Luckily, there are several strategies hospitals can leverage to bolster their defenses. Here are five actionable ways hospitals can help secure medical devices and provide life-saving patient care without disruption.

**1\. Maintaining Vigilant Visibility**

Developing a zero-trust (ZT) security approach is critical to defend against today's sophisticated attacks, but the first step is establishing complete visibility of all assets across the network. Infosec and biomed teams need a comprehensive picture of all the assets being used on a hospital's network and how many are connected medical devices to get a clear understanding of their points of vulnerability. Then teams must go beyond the device level by identifying the main applications and key components that are running underneath the operating system to truly enforce a ZT approach. For example, having insights into various applications, such as electronic health records (EHRs), picture archiving, and communications systems (PACS), that process digital imaging and communications in medicine (DICOM) and Fast Healthcare Interoperability Resources (FHIR) data and other business-critical applications can improve the overall visibility posture of assets.

**2\. Identifying Device Exposures**

Many devices are linked to different vulnerabilities that fall under two categories: static and dynamic exposures. For example, static exposures typically consist of Common Vulnerabilities and Exposures (CVEs) that can be independently addressed. In contrast, dynamic exposures can be found in how devices communicate with each other and where they send information (within the hospital or to third parties), making them more challenging to identify and address. Luckily, artificial intelligence (AI) and automation will play an increasingly important role in helping hospitals identify these exposures by providing data-driven insights and proactive recommendations on how to remediate them more efficiently.

**3\. Implementing a Zero-Trust Approach**

Once hospitals have a clear grasp of their assets and exposures, they can embrace a ZT approach by limiting access to vulnerable devices and applications. By separating devices and workloads into microsegments, administrators can better manage security policies based on least privilege access. This can help hospitals reduce their attack surfaces, improve breach containment, and strengthen regulatory compliance by placing devices onto various segments with different requirements and security controls. For example, if a computer is compromised within the hospital, microsegmentation can limit the damage to that specific device without impacting medical devices critical to patient care.

**4\. Rolling Out Virtual Patching for Legacy Systems**

Medical devices have been in use at hospitals for over a decade and, as such, often run on legacy software and systems. Because of their use requirements, hospitals may not be able to upgrade or patch the specialized medical system, which can lead to a variety of unique security issues. Additionally, hospitals may not be able to afford to take devices offline to update or patch due to the risks of loss of care for the patient. As hospitals adopt a ZT approach, they can invest in other forms of protection, such as virtual patching to reduce medical device exposures. For example, tools like next-generation firewalls can apply defenses around the device's network and application layers without needing to physically touch the device.

**5\. Instituting Transparency Across the Ecosystem**

Communication and transparency are critical to preventing threats from the start. Hospital CSOs and infosec teams must be included in the device procurement process because they offer a critical perspective on how to best protect devices throughout their life cycles. Hospitals, security teams, vendors, and device manufacturers must work together to create solutions and strategies that keep security at the forefront of a medical device's defense. Historically, when hospitals were under attack, security teams worked together to defend against attackers. However, post-attack, the information stayed between the security teams and hospitals, with very little information (if any) going back to inform the device manufacturer about how they could improve their devices' security. Hospitals must be more proactive when it comes to sharing direct feedback with device manufacturers on areas for improvement.

Ultimately, as cybersecurity policies continue to evolve for medical devices, there are ways in which we can create solutions to solve security challenges both now and in the future. Regardless of the unknowns, we can make a more proactive effort to ensure we're enabling a shift-left approach to security and fostering a culture of cyber resiliency for the medical community.

5 Ways Hospitals Can Help Improve Their IoT Security

Enterprises need to create a secure structure for tracking, assessing, and monitoring their growing stable of AI business apps.

There is no doubt that generative artificial intelligence (GenAI) is going to change how business gets done. Research firms are estimating huge productivity gains across all sectors that, if fulfilled, would completely transform every industry. With such great potential gain, it is clear why every enterprise is striving to enable their teams to build AI-powered applications as fast as possible. However, security teams must act now to ensure these apps will hold up to scrutiny.

**The Race to Capture AI Business Value First**

Some enterprises have already built hundreds of AI-powered apps so far. The rate of development is just incredible, with notable examples like Microsoft releasing Copilot applications at a rate far beyond what a huge enterprise typically delivers.

Because of the immaturity of the frameworks and tooling around AI app development, these are being built with a wide range of technologies. Development frameworks that build on top of the few fundamental models are numerous and vary significantly, and they keep on popping up. Frameworks such as LangChain and AutoGPT have gained significant popularity at an unprecedented pace. In a major enterprise, you can easily expect to find tens of different frameworks being used to build these applications.

The first organizations that are able to capture productivity gains from AI before others will have a huge win. Therefore, we are taking part in a race where we have to make do with the frameworks available right now and just get things done. It will probably take a long time for frameworks to standardize, and by that time you'll already be late to the game.

We have to face reality: Business is being reimagined — with unproven tools, frameworks, and threat models — at an unprecedented pace.

**Security: Where Do We Even Begin?**

Building so many new applications in such a short time frame has huge security implications. First, these are just more applications, with the same security risks as any other application introduces; they need to get identity, dataflow, and secret management right, to name a few concerns. Second, GenAI creates some unique security challenges, which frameworks such as the OWASP LLM Top 10 help to capture and educate on.

Advanced security organizations, in collaboration with IT, are putting together dedicated centers to inventory, assess, and secure these applications. Note that these require creating entirely new processes and newly delegated responsibilities. Ideally, these centers can act as an enabling resource for developers, offering threat modeling and design review services to ensure secure standards are met.

Creating a centralized resource is not an easy feat. Finding all AI-powered projects across an enterprise is a huge challenge, as inventory always is. Developing the technical skills required to audit these applications is difficult as well — especially due to the proliferation of different AI frameworks, each with its own quirks and gotchas. Monitoring these apps in production is yet another challenge, both from a technical perspective of getting the right data from immature development frameworks and from the security analysis perspective of knowing what to look for.

These are not insurmountable challenges, however. In fact, they follow the typical application security problem formula of inventory, security assessment, and runtime protection. To get ahead and enable our business to capture the AI revolution first, we have to start making headway in solving those problems.

Security Must Empower AI Developers Now

A spoofed version of the popular RedAlert app collects sensitive user data on Israeli citizens, including contacts, call logs, SMS account details, and more.

Attackers are spoofing a widely used open source application that warns Israelis of incoming airstrikes, called RedAlert, to lure users into downloading a malicious version of the software that, instead of telling those under attack where to seek safety, collects their sensitive data.

Applications warning Israelis of incoming airstrikes have become a trending attack vector for pro-Palestinian threat groups, according to a new report from Cloudflare. The latest round of cyberattacks uses a modified version of the open source RedAlert to lure users into downloading the spoofed version, which then provides cybercriminals with access to contacts, call logs, SMS details, a list of accounts associated with the device, as well as insights into other apps installed on a victim's device, Cloudflare added.

"Only users who installed the Android version of the app from this specific website are impacted and urgently advised to delete the app," Cloudflare said. "Users can determine if they installed the malicious version by reviewing the permissions granted to the RedAlert app."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Malicious 'Airstrike Alert' App Targets Israelis

**PRESS RELEASE**

**Woburn, MA – October 16, 2023 —** Kaspersky today announces the launch of a full-featured solution for containerized environments, Kaspersky Container Security (KCS). This solution offers secure containerized application at all stages, from development to operation. The product becomes active directly after installation, is low-cost, simple to deploy and easily integrates into the company’s IT infrastructure. Together with Kaspersky Hybrid Cloud Security, KCS forms a security ecosystem for hybrid and cloud infrastructures.  

Containerization is becoming an increasingly popular choice in software development as it helps developers to more rapidly create and deploy high-profile applications. The main advantage of the technology is its autonomy, which is reflected in its name. Like bagged cargo on a container ship, the container holds everything that is needed to develop, deliver and deploy an application (microservice), binary code, associated configurated files, libraries and dependencies. This allows containerized applications to be easily portable, highly reliable and capable of being run by distributed teams.

Containerized environments need protection, as the number of cyber incidents continues to grow. To counter this problem, Kaspersky launched Kaspersky Container Security, a specialized solution for containerized environments designed to protect businesses that already use or plan to implement containers. The product provides security for all stages of containerized application development. In addition to the development process, the solution protects runtime. For example, it controls the launch of only trusted containers, the operation of application and services inside the containers, and monitors the traffic.

There are three main components in Kaspersky Container Security: 'KCS scanner,' 'KCS agent,' and managing 'KCS server':

*   KCS scanner checks configuration files for misconfigurations, scans images for vulnerabilities, malware, sensitive data, and checks them for accordance with assurance policies within the image registry and CI/CD platforms.
*   KCS agent ensures protection from various attacks on the application in the container, monitors container and network interactions in clusters, and checks the whole system for compliance with security standards.
*   KCS server aggregates the data received from the scanner and the agent, allows customers to visualize data and to generate reports, and integrates with other security solutions (e.g., SIEMs like Kaspersky’s KUMA).

Kaspersky Container Security easily integrates into DevSecOps framework of organization, CI/CD\[1\] pipelines and infrastructure. It can strengthen DevOps protection both for companies with developed DevSecOps processes and for companies that only begin to implement them. The solution also allows predictable deadlines to be set for the application to be released due to the automation of security and compliance checks on all the stages.

_"Containerization is the new normal, but its risks are not covered by traditional endpoint or virtual machine security solutions as it requires specific solutions,"_ said Timofey Titkov, head of the cloud and network security product line at Kaspersky. "_This is why we launched Kaspersky Container Security (KCS), a solution that protects containerized application during its life cycle including runtime, the most vulnerable area. KCS helps our customers to build the DevSecOps process where security is ensured at every stage of development. This launch is an important step towards one of Kaspersky's key goals to provide comprehensive protection to all types of digital assets of our customers."_

To learn more about Kaspersky Container Security, please visit the website.

Kaspersky Launches Specialized Security Solution for Containerized Environments

No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.

Cisco is asking customers to immediately disable the HTTPS Server feature on all of their Internet-facing IOS XE devices to protect against a critical zero-day vulnerability in the Web User Interface of the operating system that an attacker is actively exploiting. 

Cisco IOS XE is the operating system that Cisco uses for its next-generation enterprise networking gear.

The flaw, assigned as CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled. No patch or other workaround is currently available for the flaw, which Cisco described as a privilege escalation issue that enables complete device takeover. Cisco has assigned the vulnerability a maximum possible severity rating of 10 out of 10 on the CVSS scale.

**CVE-2023-20198: Maximum-Severity Flaw**

"The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access," Cisco said in an advisory on Oct. 16 on the new zero-day bug. "The attacker can then use that account to gain control of the affected system." Privilege level 15 on a Cisco IOS system basically means having complete access to all commands including those for reloading the system and making configuration changes.

An unknown attacker has been exploiting the flaw, to access Cisco, Internet-facing IOS XE devices and drop a Lua-language implant that facilitates arbitrary command execution on affected systems. To drop the implant the threat actor has been leveraging another flaw — CVE-2021-1435 — a medium severity command injection vulnerability in the Web UI component of IOS XE, that Cisco patched in 2021. The threat actor has been able to deliver the implant successfully even on devices that are fully patched against CVE-2021-1435 via an as yet undetermined mechanism, Cisco Talos researchers said in an a separate advisory.

Cisco said it first got wind of the new vulnerability when responding to an incident involving unusual behavior on a customer device on Sept. 28. The company's subsequent investigation showed that malicious activity related to the vulnerability actually may have begun as early as Sept. 18. That first incident ended with the attacker leveraging the flaw to create a local user account with admin privileges from a suspicious IP address.

**Malicious Activity Cluster Targets Cisco Networking**

On October 12, Cisco's Talos Incident Response Team spotted another cluster of malicious activity related to the flaw. As with the first incident, the attacker initially created a local user account from a suspicious IP address. But this time around, the threat actor took several additional malicious actions including dropping the implant for arbitrary command injection.

"For the implant to become activity, the Web server must be restarted," Cisco Talos said. "In at least one observed case the server was not restarted so the implant never became active despite being installed," Cisco noted. The implant itself is not persistent, meaning that an organization can get rid of it via device reboot.

However, the local user accounts that attackers can create via CVE-2023-20198 are persistent and give attackers continued administrator level access on affected systems even after a device restart. Cisco Talos researchers urged organizations to be on the lookout for new or unexplained users on IOS XE devices as potential evidence that attackers have exploited the flaw. They also provided a command that organizations can use to determine if the implant is present on any affected device.

**Immediately Implement Guidance**

"We strongly recommend organizations that may be affected by the activity immediately implement the guidance outline in Cisco's Product Security Incident Response Team (PSIRT) advisory," the company said. Cisco has assessed the same threat actor is behind both clusters of malicious activity related to the new flaw.

Cisco IOS XE's Web UI component is a system management feature that allows administrators to provide the system. Cisco describes it as simplifying system deployment and manageability. CVE-2023-20198 is the second significant vulnerability that Cisco has disclosed in the same feature in recent weeks. In September, the company disclosed CVE-2023-20231, a command injection vulnerability that also allowed an attacker to obtain level 15 privileges on IOS XE devices.

Zero-day bugs — and any bugs that enable administrator level privileges — on network technologies such as those from Cisco are especially valuable for attackers. As the US Cybersecurity and Infrastructure Security Agency (CISA) and numerous others have noted, network routers switches, firewalls, load balancers, and other similar technologies are ideal targets because most or all traffic must flow through them.

Critical, Unpatched Cisco Zero-Day Bug Is Under Active Exploit

A threat group known as "Void Rabisu" used a spoofed Women Political Leaders Summit website to target attendees to the actual conference with espionage malware.

Attendees of August's Women Political Leaders Summit 2023 conference found themselves targeted by a spoofed event website loaded with a new cyber espionage malware variant called ROMCOM 4.0.

Leaders from all over the world attended the conference to explore the role of women in politics as well as prospects for peace in Ukraine. Specifically, the cyber espionage campaign targeted those helping to further gender equality in the European Union, according to a report from Trend Micro.

Just a year ago, Void Rabisu threat group was a a run-of-the-mill ransomware outfit, but the invasion of Ukraine offered an opportunity for the cybercriminals to get in on more nation-state, advanced persistent threat (APT) action, the Trend Micro report explained.

The group's primary malware strain has been updated to a new version, ROMCOM 4.0, and is used primarily to target politicians, the military, and government employees, Trend Micro observed.

"While we have no evidence that Void Rabisu is nation-state-sponsored, it's possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine," the report added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading