Communication services provider Twilio this week disclosed that it experienced another "brief security incident" in June 2022 perpetrated by the same threat actor behind the August hack that resulted in unauthorized access of customer information.
The security event occurred on June 29, 2022, the company said in an updated advisory shared this week, as part of its probe into the digital break-in

Communication services provider **Twilio** this week disclosed that it experienced another "brief security incident" in June 2022 perpetrated by the same threat actor behind the August hack that resulted in unauthorized access of customer information.

The security event occurred on June 29, 2022, the company said in an updated advisory shared this week, as part of its probe into the digital break-in.

"In the June incident, a Twilio employee was socially engineered through voice phishing (or 'vishing') to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers," Twilio said.

It further said the access gained following the successful attack was identified and thwarted within 12 hours, and that it had alerted impacted customers on July 2, 2022.

The San Francisco-based firm did not reveal the exact number of customers impacted by the June incident, and why the disclosure was made four months after it took place. Details of the second breach come as Twilio noted the threat actors accessed the data of 209 customers, up from 163 it reported on August 24, and 93 Authy users.

Twilio, which offers personalized customer engagement software, has over 270,000 customers, while its Authy two-factor authentication service has approximately 75 million total users.

"The last observed unauthorized activity in our environment was on August 9, 2022," it said, adding, "There is no evidence that the malicious actors accessed Twilio customers' console account credentials, authentication tokens, or API keys."

To mitigate such attacks in the future, Twilio said it's distributing FIDO2-compliant hardware security keys to all employees, implementing additional layers of control within its VPN, and conducting mandatory security training for employees to improve awareness about social engineering attacks.

The attack against Twilio has been attributed to a hacking group tracked by Group-IB and Okta under the names 0ktapus and Scatter Swine, and is part of a broader campaign against software, telecom, financial, and education companies.

The infection chains entailed identifying mobile phone numbers of employees, followed by sending rogue SMSes or calling those numbers to trick them into clicking on fake login pages, and harvesting the credentials entered for follow-on reconnaissance operations within the networks.

As many as 136 organizations are estimated to have been targeted, some of which include Klaviyo, MailChimp, DigitalOcean, Signal, Okta, and an unsuccessful attack aimed at Cloudflare.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Twilio Reveals Another Breach from the Same Hackers Behind the August Hack

**SAN FRANCISCO, October 28, 2022** — Nozomi Networks Inc., the leader in OT and IoT security, today announced the SANS 2022 OT/ICS Cybersecurity Report finds ICS cybersecurity threats remain high as adversaries set their sights on control system components. In response, organizations have significantly matured their security postures since last year. In spite of the progress, more than a third (35%) don’t know whether their organizations had been compromised and attacks on engineering workstations doubled in the last 12 months.

> “In the last year, Nozomi Networks researchers and the ICS cybersecurity community have witnessed attacks like Incontroller move beyond traditional targets on enterprise networks, to directly targeting OT,” said Nozomi Networks Co-founder and CPO Andrea Carcano. “While threat actors are honing their ICS skills, the specialized technologies and frameworks for a solid defense are available. The survey found that more organizations are proactively using them. Still, there’s work to be done. We encourage others to take steps now to minimize risk and maximize resilience.”

**ICS Cybersecurity Risks Remain High**

*   62% of respondents rated the risk to their OT environment as high or severe (down slightly from 69.8% in 2021).
*   Ransomware and financially motivated cybercrimes topped the list of threat vectors (39.7%) followed by nation-state sponsored attacks (38.8%). Non-ransomware criminal attacks came in third (cited by 32.1%), followed closely by hardware/software supply chain risks (30.4%).
*   While the number of respondents who said they had experienced a breach in the last 12 months dropped to 10.5% (down from 15% in 2021), 35% of those said the engineering workstation was an initial infection vector (doubling from 18.4% last year).
*   35% did not know whether their organizations had been compromised (down from 48%) and 24% were confident that they hadn’t had an incident, a 2x improvement over the previous year.
*   In general, IT compromises remain the dominant access vector (41%) followed by replication through removable media (37%).

**ICS Cybersecurity Postures are Maturing**

*   66% say their control system security budget increased over the past two years (up from 47% last year).
*   56% say they are now detecting compromises within the first 24 hours of an incident (up from 51% in 2021). The majority (69%) say they move from detection to containment within 6 to 24 hours.
*   87.5% have conducted a security audit of their OT/control systems or networks in the past year (up from 75.9% last year) – one-third (29%) have now implemented a continual assessment program.
*   The overwhelming majority (83%) monitor their OT system security. Of those, 41% used a dedicated OT SOC
*   Organizations are investing in ICS training and certification: 83% of respondents are professional control system certification holders – a significant jump from 54% in the last 12 months.
*   Nearly 80% have roles that emphasize ICS operations up from 50% in 2021.

**To learn more about the latest trends in OT/ICS cybersecurity:**

*   Download: The State of OT/ICS Cybersecurity in 2022 and Beyond

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nozomi Networks-Sponsored SANS Survey Finds Security Defenses are Getting Stronger as Cyber Threats to OT Environments Remain High

This year’s theme, “See Yourself in Cyber,” allowed Talos to highlight the various positions and people that make up our organization.

Friday, October 28, 2022 09:10

As yet another October comes to an end, so does another Cybersecurity Awareness Month. Since 2004 when the President of the United States and Congress declared October Cybersecurity Awareness Month, we’ve taken the time to share our cybersecurity knowledge with the broader general public year after year. This year we focused on the 2022 theme, “See Yourself in Cyber.” As the talent gap continues to affect the cybersecurity field, Talos aims to share resources and inspire the next generation of cyber defenders.

**See yourself in cyber**

This year’s theme, “See Yourself in Cyber,” allowed Talos to highlight the various positions and people that make up our organization. From team members with military backgrounds to no formal cybersecurity education there’s a place in Talos for everyone regardless of background, location or experience.

To showcase the different roles at Talos and within the cybersecurity community, we brought together a global panel of Talos members to share their career paths and offer career advice for those looking to start a career in the cyber field. Rewatch our “See Yourself in Cybersecurity” career panel livestream to learn how you can start a career in cybersecurity.

October also featured our sixth Researcher Spotlight, Cisco Talos Incident Response Principal Engineer Yuri Kramarz. Each month we spotlight a different researcher highlighting their career journey, work at Talos and cybersecurity career advice. Read Yuri’s spotlight and the rest of our Research Spotlight series here.

Our second livestream of the month, Threat Hunting 101, brought together a panel of threat researchers to not only discuss what Threat Hunting is but also how to start a career in the field. Through the round table conversation Talos members highlighted the key skills one needs to be a successful threat hunter and shared their thoughts on where they see the future of threat hunting headed. Watch the livestream on demand to learn how Talos approaches their threat hunting programs.

October may be Cybersecurity Awareness Month, but every day, our incident responders are working to keep our customers, partners – and ultimately the internet at large -- safe. We recognized our Incident Responders of the Cisco Talos Incident Response team and how their work impacts the world and what keeps them motivated every day on a nearly 24/7 basis.

It’s never too late to start a career in the cybersecurity field regardless of your previous experience. Cisco Talos Incident Response Consultant Gergana Karadzhova shared her six tips on how to pivot into cybersecurity as a mid-career professional to encourage those looking to break into the industry. Her first tip? It’s never too late! Sammi Seaman and Jon Munshaw also recorded a Talos Takes episode reflecting on their pivot from non-security fields to careers at Talos.

Interested in joining Team Talos? You can view all our current openings and apply here. Follow along with us all year long on social media and subscribe to our Threat Source newsletter to stay up to date on the latest threats news.

See Yourself in Cyber: A Cybersecurity Awareness Month recap

Supply chain attacks were all the rage in 2020 after SolarWinds, but we seem to have forgotten how important they are.

Thursday, October 27, 2022 14:10

Welcome to this week’s edition of the Threat Source newsletter.

There are plenty of jokes about whether we’re “aware” of cybersecurity during National Cybersecurity Awareness Month. But now I’m wondering if people are aware of supply chain attacks.

I thought we hit the pinnacle of supply chain attacks in 2020 with the SolarWinds attack, when these types of attacks dominated headlines and defenders started shouting from the mountaintops about how important it is to be ready for supply chain attacks.

And then Kaseya came along a few months later when attackers found a different way to deploy malicious updates that were disguised as legitimate patches.

And still today, we’re warning about the dangers of how prevalent supply chain attacks are and how everyone needs to be ready for this attacker technique. This leaves me wondering if Kaseya and SolarWinds weren’t the breaking point — what is?

It seems like no matter how many times we see major ransomware attacks, even coming to the point of making it impossible for people to get gas, attackers are back again with another ransomware attack a few weeks later.

We still have several hurdles to overcome to fix the supply chain attack problem, as Jaeson Schultz from our Outreach team outlined in this recent post. But it’s clear that these attacks aren’t going anywhere, and neither are defenders’ warnings.

As I wrote at the start of October, it can be easy to poke fun at Cybersecurity Awareness Month because it’s impossible to define what it even means to be “aware” of cybersecurity. Clearly, there’s still awareness to spread, though, and we keep needing to spread it in regard to supply chain attacks, ransomware and pretty much every other type of cyber attack.

**The one big thing**

For the first time since collecting such data, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats in the third quarter of 2022. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.

**Why do I care?**

This data represents what Talos IR is actively seeing in the wild over the past few months and is likely representative of the broader threat landscape.

**So now what?**

A lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.

**Top security headlines of the week**

The Biden administration is preparing to release updated guidelines and warnings around election security with a few days left before the midterm elections. A bulletin reportedly being drafted includes information on threats from Russia, China and other state-sponsored actors. Election workers and local officials are also having to deal with physical threats to polling workers and locations, all while the number of volunteers is dwindling. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency released a PSA stating that malicious cyber activity is "unlikely to disrupt or prevent voting." (Politico, Axios, Voice of America)

Apple released security updates for its iOS and iPadOS operating systems this week, including fixes for a vulnerability that “may have been actively exploited.” There are 20 vulnerabilities fixed in these updates in all. CVE-2022-42827 is the most notable vulnerability, which could allow an attacker to execute code with Kernel privileges via an attacker-controlled app. This is the third Kernel-related out-of-bounds memory vulnerability that Apple has patched in each of its previous security updates: CVE-2022-32894 and CVE-2022-32917. CVE-2022-32917 was known to be used in attacks in the wild. (Forbes, The Hacker News)

Two vulnerabilities in Microsoft's Mark of the Web (MoTW) security feature could allow an attacker to send JavaScript files that could bypass security blocks in place. Attackers are reportedly actively exploiting both issues, though Microsoft has yet to issue any formal fixes for the vulnerabilities, and there are no workarounds available. Mark of the Web protects users against files from untrusted sources, but the two vulnerabilities could allow the attackers to construct the files in a way that they are not appropriately marked by Windows. Attackers commonly use .js files as attachments or downloads that can run outside a web browser. (Dark Reading, Bleeping Computer)

**Can't get enough Talos?**

*   Talos Takes Ep. #118: Threat Hunting 101
*   Beers with Talos Ep. #127: I’m a skiddie, and you can too!
*   A bug in Abode’s home security system could let hackers remotely switch off cameras
*   Talos Incident Response Q3 2022 Quarterly Report

**Upcoming events where you can find Talos**

**Click or Treat? How not to fall for a phishing attack this Halloween** (Oct. 31)  
Virtual

**BSides Lisbon** (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681  
**MD5:** f1fe671bcefd4630e5ed8b87c9283534  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Hackkms::1201

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
**MD5:** 2c8ea737a232fd03ab80db672d50a17a  
**Typical Filename:** LwssPlayer.scr  
**Claimed Product:** 梦想之巅幻灯播放器  
**Detection Name:** Auto.125E12.241442.in02

Threat Source newsletter (Oct. 27, 2022): I thought we were already aware of supply chain attacks?

Even if the security bug is not another Heartbleed, prepare like it might be, they note — it has potentially sprawling ramifications.

Organizations have five days to prepare for what the OpenSSL Project on Oct. 26 described as a "critical" vulnerability in versions 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet.

On Tuesday, Nov. 1, the project will release a new version of OpenSSL (version 3.0.7) that will patch an as-yet-undisclosed flaw in current versions of the technology. The characteristics of the vulnerability and ease with which it can be exploited will determine the speed with which organizations will need to address the issue.

**Potentially Huge Implications**

Major operating system vendors, software publishers, email providers, and technology companies that have integrated OpenSSL into their products and services will likely have updated versions of their technologies timed for release with the OpenSSL Project's disclosure of the flaw next Tuesday. But that will still leave potentially millions of others — including federal agencies, private companies, service providers, network device manufacturers, and countless website operators — with a looming deadline to find and fix the vulnerability before threat actors begin to exploit it.

If the new vulnerability turns out to be another Heartbleed bug — the last critical vulnerability to impact OpenSSL — organizations and indeed the entire industry are going to be under the gun to address the issue as quickly as possible.

The Heartbleed vulnerability (CVE-2014-0160), disclosed in 2014, basically gave attackers a way to eavesdrop on Internet communications, steal data from services and users, to impersonate services, and do all this with little trace of their ever having done any of it. The bug existed in OpenSSL versions from March 2012 onward and affected a dizzying range of technologies, including widely used Web servers such as Nginx, Apache, and IIS; organizations such as Google, Akamai, CloudFlare, and Facebook; email and chat servers; network appliances from companies such as Cisco; and VPNs.

The disclosure of the bug triggered a frenzy of remedial activity across the industry and sparked concerns of major compromises. As Synopsys' Heartbleed.com site noted, Apache and Nginx alone accounted for a market share of over 66% of active sites on the Internet at the time Heartbleed was disclosed.

There's no telling, until Tuesday at least, if the new flaw will be anything like Heartbleed. But given the almost critical-infrastructure-like use of OpenSSL for encryption across the Internet, organizations would do well not to underestimate the threat, security experts said this week.

**Security Orgs Should Brace for Impact**

"It is a bit difficult to speculate about the impact, but past experience has shown that OpenSSL doesn't use the label 'critical' lightly," says Johannes Ullrich, dean of research at the SANS Institute.

OpenSSL itself defines a critical flaw as one that enables significant disclosure of the contents of server memory and potential user details, vulnerabilities that can be exploited easily and remotely to compromise server private keys.

Version 3.0, the current release of OpenSSL, is used in many current operating systems, such as Ubuntu 22.04 LTS and MacOS Mavericks and Ventura, Ullrich notes. Organizations can expect to receive Linux patches quickly and likely at the same time as the OpenSSL bulletin on Tuesday. But organizations should get ready now, finding out which systems use OpenSSL 3.0, Ullrich says. "After Heartbleed, OpenSSL introduced these preannouncements of security patches," he says. "They are supposed to help organizations prepare. So, use this time to find out what will need patching."

Brian Fox, co-founder and CTO at Sonatype, says that by the time the OpenSSL Project discloses the bug Tuesday, organizations need to identify if they are using a vulnerable version anywhere in their technology portfolio, which applications are using it, and how long it would take for them to remediate the issue. 

"Potential reach is always the most consequential piece of any major flaw," Fox notes. "In this instance, the largest challenge with updating OpenSSL is that often this usage is embedded inside of other devices." In these instances, it can be hard to assess exposure without asking the upstream provider of the technology, he adds.

Anything that communicates with the Internet securely could potentially have OpenSSL built in to it. And it's not just software that can be affected but hardware as well. The advance notice that the OpenSSL Project provided should give organizations time to prepare. "Finding what pieces of software or devices is the first step. Organizations should do that now, and then patching or sourcing updates from the upstream vendors will follow," Fox says. "All you can do at the moment is inventory."

**An Entire Ecosystem Might Need to Update**

A lot will also depend on how vendors of products with vulnerable versions of OpenSSL embedded in them respond to the disclosure. The OpenSSL Project's release of the new version on Tuesday is only the first step. "An entire ecosystem of applications built with OpenSSL will also have to update their code, release their own updates, and organizations will need to apply them," says John Bambenek, principal threat hunter at Netenrich.

Ideally, organizations that have dealt with Heartbleed will have an idea of where their OpenSSL installs are and which of their vendor products will require an update as well. "This is why software bills of materials can be important," Bambenek says. "They can take this time to reach out and understand their suppliers and vendors plans for updates to make sure those updates are applied as well." One likely issue that organizations need to be prepared for is how to deal with end-of-life products for which updates are not available, he adds.

Mike Parkin, senior technical engineer at Vulcan Cyber, says that without evidence of exploit activity and associated indicators of compromise, it is best that organizations follow their normal change management process for when a known update is on the way. "On the security side, it's worth putting some additional focus on systems that might be affected if an exploit emerges before the new release drops," he advises.

There's not enough information in OpenSSL Project's announcement to say how much work will be involved in the upgrade, "but unless it requires updating certificates, the upgrade will probably be straightforward," Parkin predicts.

Also on Nov. 1, the OpenSSL project will release OpenSSL version 1.1.1s, which it described as a "bug-fix release." Version 1.1.1, which it replaces, is not susceptible to the CVE that is being fixed in 3.0, the project noted.

Prepare Now for Critical Flaw in OpenSSL, Security Experts Warn

Industry-first unified identity platform provides the building blocks to help businesses build and operate their unique identity process end-to-end.

**SAN FRANCISCO, Oct. 27, 2022 /PRNewswire/ —** Persona today launched the next evolution of its unified identity platform to help businesses mitigate online fraud and meet ever-evolving compliance standards. The new Persona platform connects, centralizes and orchestrates all fragmented identity data, disparate systems and identity operations under a single infrastructure. Leading companies—including Square, Gusto, Revel, Toast, Coursera, and Dapper Labs—leverage Persona to quickly adapt to evolving fraud techniques and regulatory compliance requirements—all while creating a frictionless experience for customers.

"With rising fraud rates and tightening regulation, organizations need to ensure the people and businesses they work with are who they say they are," said Rick Song, CEO, Persona. "But the way businesses manage and verify their customers' identities today is purely transactional. This is because identity is ever-evolving and incredibly resource-intensive to manage. No use case is created equal. The rigor necessary for a company to verify one user might drastically differ from another due to a number of factors, including transaction risk, location and associated regulations. And applying a one-size-fits all approach leads to high failure rates and frustrated customers."

**The New Persona Platform: Building Blocks for Identity Operations**

In order for businesses to effectively mitigate fraud and stay compliant, they need to be able to customize the way they interact and build a relationship with each user. Persona's configurable building blocks allow organizations to tailor and streamline each stage of their unique identity processes. Solutions include:

*   **Verifications:** the industry's most robust and fully-automated suite of international verification tools—e.g., database, documentary, biometric, digital ID, and behavioral signals.
*   **Dynamic Flow:** the first dynamic risk assessment engine that customizes the way businesses collect and verify information based on real-time signals.
*   **Cases:** a fully-customizable investigation center that can be tailored and optimized for every team's unique internal review processes.
*   **Workflows:** a flexible no-code identity process automation builder that can ingest data, automate complex decisions, and trigger actions.
*   **Graph:** a link analysis and fraud investigation solution that proactively surfaces hidden fraud rings and detects new fraud patterns.
*   **Marketplace:** a robust library of integrations with identity data providers and business productivity applications that enables organizations to unsilo and connect identity data to their business systems for better decision-making and automation.

Each of Persona's products work independently and in tandem with each other, allowing businesses to build their ideal solution for any use case. Two of Persona's newest solutions, Graph and Marketplace, illustrate how Persona's building blocks work together seamlessly to power all identity operations from end to end in one place.

For example, if a business is having trouble preventing duplicate account fraud, they can use the Marketplace to consolidate active and passive signals from Persona with third-party signals, such as data from partners including Chainalysis and SentiLink. Graph then takes that information and surfaces suspicious patterns to prevent fraud before it escalates. Finally, the business can use the business platform integrations from the Persona Marketplace to automate any follow-up actions, such as updating accounts in Salesforce or closing out tickets in Zendesk.

Song continued, "In today's constantly changing digital landscape, organizations struggle to balance fraud mitigation and conversion optimization without putting a huge strain on their operations team. With Persona's re-architected platform, companies can tackle every identity need—from identity verification to fraud review—individually, or orchestrate and safeguard their identity operations from end to end by combining building blocks on one cohesive platform."

**ABOUT PERSONA**

Persona offers a unified identity platform that gives businesses the building blocks they need to securely collect, verify, manage, and make decisions about individuals' and businesses' identities—along with automation and orchestration tools to streamline the entire process from end to end.

Founded in 2018, Persona is headquartered in San Francisco and is available in 200+ countries and territories and 20 different languages. Persona serves any business that needs to verify its customers online, including retail, fintech, marketplace, delivery services, real estate and hospitality, HR, edtech, legal services, home and childcare services, and more. For additional information, please visit https://withpersona.com/.

Persona Launches Unified Identity Platform to Fight Fraud and Reduce Compliance Risk

This is just the latest set of vulnerabilities Talos has discovered in the InRouter302.

Thursday, October 27, 2022 11:10

_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to access the router’s console and make changes to the router’s settings, including security protocols.

The InRouter is an industrial LTE router that includes remote management functionalities and several security protection mechanisms, such as VPN connections and a firewall.

This is just the latest set of vulnerabilities Talos has discovered in the InRouter302. We previously outlined how an attacker could string together several other since-patched security issues to gain root access to the device.

TALOS-2022-1523 (CVE-2022-25932) is actually an updated vulnerability for a new patch, as the previous security update to cover TALOS-2022-1472 and TALOS-2022-1474 was not effective.

Additionally, the router’s firmware contains leftover code in the debug feature. The InRouter302 offers telnet and SSHD services. When provided with the correct credentials, both will allow access to the router’s console. From the console, an attacker could manipulate several crucial security settings, including providing a specific command to manipulate the firmware signature verification flag and upload malicious firmware to the device.

These vulnerabilities are:

*   TALOS-2022-1518 (CVE-2022-29481)
*   TALOS-2022-1519 (CVE-2022-30543)
*   TALOS-2022-1520 (CVE-2022-26023)
*   TALOS-2022-1521 (CVE-2022-28689)

TALOS-2022-1522 (CVE-2022-29888) could be exploited if an attacker sends the device a specially crafted HTTP request. If exploited correctly, the adversary could gain the ability to delete arbitrary files on the device, potentially disrupting its operations or settings.

Cisco Talos worked with InHand Networks to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: InHand Networks InRouter302, version 3.5.45. Talos tested and confirmed these versions of the router could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 59152, 59153, 59882 – 59884 and 59886. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Vulnerabilities in InHand router could give attackers access to console, delete files

Rockwell Automation Stratix Devices Containing Cisco IOS

Older bugs in the AnyConnect Secure Mobility Client are being targeted in the wild, showcasing patch-management failures.

A pair of known security vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows is being actively exploited in the wild, despite being patched for two-plus years.

The networking giant is warning that cybercrime groups are pressing two local privilege escalation (LPE) bugs into service, with active exploit chains against the VPN platform being observed starting this month.

The first flaw (CVE-2020-3153, with a CVSS score of 6.5) would allow a logged-in user to send a specially crafted IPC message to the AnyConnect process to perform DLL hijacking and execute arbitrary code on the affected machine with SYSTEM privileges. The second issue (CVE-2020-3433, with a CVSS score of 7.8) could allow a logged-in user to copy arbitrary files to system-level directories with SYSTEM privileges.

"In October 2022, the Cisco Product Security Incident Response Team became aware of additional attempted exploitation of this vulnerability in the wild," Cisco noted in the updated advisories.

The situation showcases the danger that older vulnerabilities continue to pose to companies and individuals. LPE patches are often de-prioritized in the glut of updates that businesses are faced with every month, but exploit chains often combine a remote code execution (RCE) bug for initial access with an LPE exploit for burrowing deeper into corporate networks and uncovering sensitive information.

The US Cybersecurity and Infrastructure Security Agency (CISA) also this week added the bugs to its Known Exploited Vulnerabilities (KEV) catalog, along with four even older bugs in Cisco's Gigabyte gaming and graphics drivers (CVE-2018-19320, CVE-2018-19321, CVE-2018-19322, CVE-2018-19323). Sophos flagged exploitation of the latter earlier in the month by the BlackByte ransomware gang.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco Warns AnyConnect VPNs Under Active Cyberattack

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and re-authenticate. A sustained attack could prevent new SSL VPN connections from being established. Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention. Cisco Meraki has released software updates that address this vulnerability.

This vulnerability affects the following Cisco Meraki products if they are running a vulnerable release of Cisco Meraki MX firmware and have Cisco AnyConnect VPN enabled:

*   MX64
*   MX64W
*   MX65
*   MX65W
*   MX67
*   MX67CW
*   MX67W
*   MX68
*   MX68CW
*   MX68W
*   MX75
*   MX84
*   MX85
*   MX95
*   MX100
*   MX105
*   MX250
*   MX400
*   MX450
*   MX600
*   vMX
*   Z3C
*   Z3

**Note:** Cisco AnyConnect VPN is supported on Cisco Meraki MX Series and Cisco Meraki Z3 Teleworker Gateway devices that run Cisco Meraki MX firmware releases 16.2 and later, except for Cisco Meraki MX64 and MX65, which support Cisco AnyConnect VPN only if they are running Cisco Meraki MX firmware releases 17.6 and later.

For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.

**Determine the Device Configuration**

**Determine Whether Cisco AnyConnect VPN Is Enabled on Cisco Meraki MX Devices**

To determine whether Cisco AnyConnect VPN is enabled on a Cisco Meraki MX device, complete the following steps:

1.  Log in to the **Dashboard**.
2.  Choose **Security Appliance > Configure > Client VPN** in the combined view.
3.  Choose the **AnyConnect Settings** tab.

If the **Enabled** radio button is selected, the device is configured to support Cisco AnyConnect VPN.

If the Cisco AnyConnect Settings tab is not displayed, or if the **Disabled** radio button is selected, the device is not impacted by the vulnerability described in this advisory.

**Determine Whether Cisco AnyConnect VPN Is Enabled on Cisco Meraki** **Z3 Teleworker Gateway Devices**

To determine whether Cisco AnyConnect VPN is enabled on Cisco Meraki Z3 Teleworker Gateway devices, complete the following steps:

1.  Log in to the **Dashboard**.
2.  Choose **Teleworker gateway > Configure > Client VPN** in the combined view.
3.  Choose the **AnyConnect Settings** tab.

If the **Enabled** radio button is selected, the device is configured to support Cisco AnyConnect VPN.

If the Cisco AnyConnect Settings tab is not displayed, or if the **Disabled** radio button is selected, the device is not impacted by the vulnerability described in this advisory.

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

*   Meraki MX 60
*   Meraki MX 80
*   Meraki MX 90
*   Meraki Z1
*   Adaptive Security Appliance (ASA) Software
*   Firepower Threat Defense (FTD) Software
*   IOS Software
*   IOS XE Software

Tag

#cisco