< ciso
brief />
Tag Banner

All news with #cisco tag

237 articles · page 10 of 12

ASD Warns of Ongoing BADCANDY Attacks on Cisco IOS XE

🛡️ The Australian Signals Directorate (ASD) has issued a bulletin warning of ongoing attacks using a Lua-based implant dubbed BADCANDY to compromise unpatched Cisco IOS XE devices via CVE-2023-20198. ASD reports variations have been seen since October 2023 and estimates about 400 Australian devices were compromised since July 2025, with 150 infections in October. Operators are urged to apply patches, restrict public access to the web UI, and follow Cisco hardening guidance.
read more →

Australia warns of BadCandy infections on Cisco devices

⚠️ The Australian Signals Directorate warns of ongoing attacks against unpatched Cisco IOS XE devices being backdoored with the Lua-based BadCandy webshell. The exploited flaw, CVE-2023-20198, allows unauthenticated actors to create local admin accounts via the web UI and execute commands with root privileges. Cisco issued a patch in October 2023, but many internet-exposed devices remain vulnerable and have been repeatedly re-infected.
read more →

ToolShell Exploit Drives Surge in SharePoint Attacks

🛡️ Cisco Talos reports a rapid rise in exploitation of public-facing applications following the mid‑July 2025 disclosure of the ToolShell chain, which targets on‑premises Microsoft SharePoint servers via CVE-2025-53770 and CVE-2025-53771. In Q3, application exploitation featured in over 60% of Talos Incident Response engagements, with ToolShell activity implicated in nearly 40% of cases. Talos urges expedited patching and network segmentation to limit lateral movement and downstream impacts such as ransomware.
read more →

PolarEdge Botnet Targets Cisco, ASUS, QNAP Routers

🔐 Cybersecurity researchers have detailed PolarEdge, a TLS-based ELF implant used to conscript Cisco, ASUS, QNAP and Synology routers into a botnet. The backdoor implements an mbedTLS v2.8.0 server with a custom binary protocol, supports a connect-back and interactive debug mode, and stores its obfuscated configuration in the final 512 bytes of the ELF. Operators use anti-analysis techniques, process masquerading and file-moving/deletion routines; a forked watchdog can relaunch the payload if the parent process disappears.
read more →

Legacy Flaws in Network Edge Devices Threaten Orgs Today

🔒 Enterprises' network edge devices — firewalls, VPNs, routers, and email gateways — are increasingly being exploited due to longstanding 1990s‑era flaws such as buffer overflows, command and SQL injections. Researchers tracked dozens of zero‑day exploits in 2024 and continuing into 2025 that affected vendors including Fortinet, Palo Alto Networks, Cisco, Ivanti, and others. These appliances are attractive targets because they are remotely accessible, often lack endpoint protections and centralized logging, and hold privileged credentials, making them common initial access vectors for state‑affiliated actors and ransomware groups.
read more →

North Korean Hackers Merge BeaverTail and OtterCookie

🔐 Cisco Talos reports that a North Korean-linked threat cluster has blended features of its BeaverTail and OtterCookie JavaScript malware families, with recent OtterCookie variants adding keylogging, screenshot capture, and clipboard monitoring. The intrusion chain observed involved a trojanized Node.js application called Chessfi and a malicious npm dependency published on August 20, 2025 that executed postinstall hooks to launch multi-stage payloads. Talos tied the activity to the Contagious Interview recruitment scam and highlighted continued modularization and abuse of legitimate open-source packages and public Git hosting to distribute malicious code.
read more →

Zero Disco: Fileless Rootkits Target Legacy Cisco Switches

⚠️Threat actors exploited a Cisco SNMP vulnerability (CVE-2025-20352) to achieve remote code execution on legacy IOS XE switches and install custom, largely fileless Linux rootkits that hook into the IOSd memory space, set universal passwords (including one containing 'Disco'), and hide processes and network activity. The rootkits spawn a UDP-based controller to toggle or zero logs, bypass access controls, and reset running-config timestamps to mask changes. Trend Micro also observed spoofed IP/MAC addresses and attempts to combine a retooled Telnet memory-access exploit to deepen persistence.
read more →

Hackers Deploy Rootkit via Cisco SNMP Zero-Day on Switches

⚠️Threat actors exploited a recently patched SNMP remote code execution flaw (CVE-2025-20352) in older Cisco IOS and IOS XE devices to deploy a persistent Linux rootkit. Trend Micro reports the campaign targeted unprotected 9400, 9300 and legacy 3750G switches and has been tracked as Operation Zero Disco, named for the universal password that contains 'disco'. The implant can disable logging, bypass AAA and VTY ACLs, hide running-configuration items and enable lateral movement; researchers recommend low-level firmware and ROM-region checks when compromise is suspected.
read more →

Ransomware Victim Responses and Human Impact Analysis

🔒 Ransomware attacks inflict both operational and deep personal harm, often devastating small businesses lacking cash reserves and cybersecurity expertise. Research underscores lasting trauma, exhaustion, and financial ruin that can outlast technical recovery. Organizations should pair an incident response plan with compassionate leadership and employee support. Cisco Talos also warns of evolving supply‑chain campaigns targeting developers and job seekers, reinforcing the need for layered defenses.
read more →

Cisco SNMP Rootkit Campaign Targets Network Devices

🔒 Trend Micro detailed a campaign exploiting CVE-2025-20352 that installed Linux rootkits on exposed Cisco switches and routers, enabling persistent unauthorized access. The attackers combined an SNMP remote code execution with a modified Telnet flaw (based on CVE-2017-3881) to read and write device memory and deploy fileless backdoors. Affected models include Cisco 9400, 9300 and legacy 3750G series. Device owners should apply Cisco patches, disable or harden SNMP and restrict management access.
read more →

Attackers Use Cisco SNMP Flaw to Deploy Linux Rootkits

🛡️ Researchers disclosed a campaign, Operation Zero Disco, that exploited a recently patched SNMP stack overflow (CVE-2025-20352) in Cisco IOS and IOS XE devices to deploy Linux rootkits on older, unprotected switches. The attackers achieved remote code execution and persistence by installing hooks into IOSd memory and setting universal passwords that include the string "disco." Targets included legacy 3750G and 9300/9400 series devices lacking EDR protections.
read more →

Merged BeaverTail and OtterCookie Tooling Observed in Attacks

🔍 Talos uncovered a campaign linked to the DPRK-aligned cluster Famous Chollima that used a trojanized Node.js package and a malicious VS Code extension to deliver merged BeaverTail and OtterCookie tooling. The combined JavaScript payloads include a newly observed keylogger and screenshot module alongside clipboard theft, targeted file exfiltration, remote shell access, and cryptocurrency extension stealing. Indicators, C2 addresses, Snort/ClamAV detections, and mitigation guidance are provided.
read more →

Leading Incident Response Through Empathy and Care

🛡️ Laura Faria, an incident commander with Cisco Talos Incident Response, discusses leading through chaos, empathy, and teamwork during high-pressure security incidents. She traces a career across multiple cybersecurity vendors and sales roles before joining Talos and stepping into incident command. Laura emphasizes purpose-driven response work, particularly when outages affect critical infrastructure and patient safety. The interview highlights resilience, collaboration, and practical leadership lessons.
read more →

OpenPLC and Planet WGR-500: Multiple Vulnerabilities

⚠️ Cisco Talos disclosed vulnerabilities affecting OpenPLC and the Planet WGR-500 industrial router, including a ModbusTCP denial-of-service and multiple critical flaws in HTTP-handling functions. The OpenPLC issue (TALOS-2025-2223 / CVE-2025-53476) can be triggered by a crafted series of TCP connections to exhaust the ModbusTCP server. Planet WGR-500 vulnerabilities (TALOS-2025-2226–2229 / CVE-2025-54399–54406, CVE-2025-48826) include stack-based buffer overflows, format string, and OS command injection flaws that may lead to memory corruption or arbitrary command execution.
read more →

Microsoft October 2025 Patch Tuesday: Key Fixes & Rules

🛡️ Microsoft’s October 2025 Patch Tuesday addresses 175 Microsoft CVEs and 21 non‑Microsoft CVEs, including 17 rated critical and 11 marked important, with three already observed exploited in the wild. Talos highlights active exploitation of CVE-2025-24990 (Agere Modem driver), CVE-2025-59230 (Remote Access Connection Manager), and CVE-2025-47827 (IGEL OS Secure Boot bypass) and urges prompt remediation. Cisco Talos also published new Snort rules to detect many of these exploits and recommends updating patches, removing unsupported drivers, and refreshing IDS/IPS signatures.
read more →

Rust-Based ChaosBot Backdoor Uses Discord for C2 Operations

🔒 eSentire disclosed a Rust-based backdoor named ChaosBot that leverages Discord channels for command-and-control, allowing operators to perform reconnaissance and execute arbitrary commands on compromised systems. The intrusion, first observed in late September 2025 at a financial services customer, began after attackers used compromised Cisco VPN credentials and an over-privileged Active Directory service account via WMI. Distribution included phishing LNK files that launch PowerShell and display a decoy PDF, while the payload sideloads a malicious DLL through Microsoft Edge to deploy an FRP reverse proxy. ChaosBot supports commands to run shells, capture screenshots, and transfer files, and newer variants employ ETW patching and VM detection to evade analysis.
read more →

Rockwell Automation Lifecycle Services SNMP Overflow

⚠️ Rockwell Automation reports a stack-based buffer overflow in its Lifecycle Services with Cisco offerings related to the Cisco IOS XE SNMP subsystem (CVE-2025-20352). An authenticated remote actor with low privileges can trigger a denial-of-service, and an actor with higher privileges and administrative access may achieve arbitrary code execution as root. A CVSS v4 score of 6.3 and a CVSS v3 score of 7.7 are provided. Rockwell and Cisco publish updates and mitigations; CISA advises minimizing network exposure and applying vendor fixes or recommended workarounds.
read more →

Velociraptor Abused in Ransomware Attacks by Storm-2603

🔐 Cisco Talos confirmed ransomware operators abused Velociraptor, an open-source DFIR endpoint tool, to gain arbitrary command execution in August 2025 by deploying an outdated agent vulnerable to CVE-2025-6264. Talos links the activity with moderate confidence to Storm-2603 based on overlapping tooling and TTPs. Operators used the tool to stage lateral movement, deploy fileless PowerShell encryptors, and deliver multiple ransomware families, severely disrupting VMware ESXi and Windows servers.
read more →

Spike in Scanning Targets Palo Alto Login Portals Globally

🔍 GreyNoise observed a nearly 500% surge in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, jumping from about 200 to roughly 1,300 unique IPs. The firm classified 93% of those IPs as suspicious and 7% as malicious, with most activity geolocated to the U.S. and smaller clusters in the U.K., the Netherlands, Canada and Russia. GreyNoise noted the traffic was targeted and structured and shared a dominant TLS fingerprint with recent Cisco ASA scans.
read more →

New Chinese Group Hijacks IIS Servers for SEO Fraud

🔍 Cisco Talos warns a Chinese‑speaking threat group tracked as UAT-8099 is actively compromising misconfigured Microsoft IIS servers to run SEO fraud and harvest high-value data. The actors favor high-reputation domains in universities, technology firms, and telecom providers across India, Thailand, Vietnam, Canada and Brazil to reduce detection. They exploit unrestricted file uploads to install web shells, escalate a guest account to admin, enable RDP and deploy the BadIIS SEO malware, then persist with hidden accounts and VPN/backdoor tools. Talos has published indicators and mitigation guidance, including blocking script execution in upload folders, disabling RDP and enabling MFA.
read more →