< ciso
brief />
Tag Banner

All news with #cisco tag

237 articles · page 3 of 12

Unplug to Improve Focus: Physical Hobbies Aid Devs

🌳 The Threat Source newsletter urges cybersecurity professionals to step away from screens and engage in tactile hobbies to reset mental focus and foster creative problem solving. The author describes a miniature‑painting session at the office and recommends simple anchors — walking, knitting, building a keyboard — to refresh cognition. Separately, Cisco Talos flags a rise in phone‑number‑based scam infrastructure and urges clustering of telephony IOCs.
read more →

Cisco DoS Bug Requires Manual Reboot to Recover Devices

⚠️ Cisco released patches for a high-severity denial-of-service vulnerability (CVE-2026-20188) affecting Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO). The issue stems from inadequate rate limiting on incoming connections and can be exploited remotely by unauthenticated actors to exhaust connection resources and crash systems. Affected releases include CNC 7.1 and earlier and NSO 6.3 and earlier; fixed releases and mitigations are detailed in Cisco's advisory. Cisco's PSIRT says it is not aware of active exploitation but strongly urges customers to upgrade to patched software to avoid manual reboots and service disruption.
read more →

CloudZ RAT and Pheno Plugin Abuse Microsoft Phone Link

🔐 Cisco Talos has observed the CloudZ RAT paired with a previously undocumented plugin, Pheno, harvesting SMS messages and one-time passwords by abusing Microsoft's Phone Link functionality. Pheno scans for Phone Link processes and confirms active paired sessions before extracting synced SMS content from local SQLite files, allowing attackers to capture OTPs without touching the victim's mobile device. Observed since January 2026, the campaign uses a Rust loader, a .NET payload deployed via regasm.exe, and multiple anti-analysis techniques; Talos published IoCs and ClamAV signatures to aid detection.
read more →

Analysis of Phone Number Clustering and Reuse in Scam Emails

📞 Cisco Talos analyzed phone numbers extracted from scam emails and found that API-driven VoIP provisioning enables large-scale, low-cost operations that are difficult to trace. Attackers rotate through sequential DID blocks, use cool-down windows, and frequently recycle numbers across multiple lures and attachment types. In a Feb 26–Mar 31, 2026 dataset of 1,652 numbers, the median lifespan was ~14 days; Sinch was the most abused provider. Talos recommends using phone numbers as anchors for cross-channel threat mapping.
read more →

CloudZ RAT Exploits Windows Phone Link to Steal OTPs

🔒 Cisco Talos researchers disclosed an intrusion leveraging the CloudZ remote access tool and an undocumented plugin named Pheno to harvest credentials and one‑time passwords. The attackers abused Microsoft's Phone Link PC-to-phone bridge to monitor SMS/OTP data without deploying malware on the mobile device. The campaign, active since at least January 2026, uses a fake ConnectWise ScreenConnect dropper, a .NET loader and modular plugins to establish persistence and encrypted C2 communications.
read more →

CloudZ RAT Abuses Microsoft Phone Link to Steal OTPs

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.
read more →

UAT-8302: China-Nexus APT Targeting Government Networks

🔒 Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.
read more →

Talos Year in Review: Five Priorities for Defenders

🔐 Cisco Talos’ Year in Review, authored by Hazel Burton, highlights how lower barriers to attack and rapid proof-of-concept development are stressing defenders. The report shows attackers increasingly rely on valid accounts, credential abuse, and management-plane targets while still producing detectable anomalous behavior. Recommended priorities include hardening IAM, prioritizing patching by exposure, improving visibility into legacy components, and securing systems that broker trust.
read more →

Persistent 'Firestarter' Backdoor Hits Cisco Firewalls

🛡️ Security teams are being urged to inspect Cisco ASA and Firepower devices following discovery of a resilient backdoor called Firestarter that can persist after patching and survive normal reboots. CISA and the UK’s NCSC recommend generating a core dump and running their published YARA rules (or scanning a disk image) to detect the implant. If an infection is confirmed, the advisory states the device must be physically disconnected from all power sources, including redundant and backup supplies, for at least one minute or be fully reimaged — a standard reboot or power cycle is not sufficient.
read more →

Weekly Cyber Recap: Fast16, XChat, FIRESTARTER Threats

⚠️ This week’s recap shows old techniques resurfacing alongside sophisticated new tooling that targets supply chains, enterprise remote access, and AI agents. Analysts detail fast16, a Lua-based framework predating Stuxnet that targets high-precision simulation software, and multiple active campaigns including help-desk impersonation by UNC6692 and the persistent FIRESTARTER backdoor in Cisco Firepower. Expect urgent patching, scrutiny of browser extensions and CI/CD components, and tighter monitoring of remote access and build pipelines.
read more →

Firestarter Backdoor Survives Cisco Firewall Patches

🔥 A custom backdoor named Firestarter has been observed persisting on Cisco Firepower and Secure Firewall devices running ASA or FTD software, surviving reboots, firmware updates, and security patches. U.S. CISA and the U.K. NCSC link the activity to a threat actor tracked as UAT-4356, which exploited CVE-2025-20333 and CVE-2025-20362. Cisco recommends reimaging and upgrading affected devices; administrators can check compromise with show kernel process | include lina_cs, and CISA published YARA rules and mitigation guidance.
read more →

FIRESTARTER Backdoor Persists on Cisco ASA/Firepower

🔒 CISA and the U.K. NCSC disclosed that a federal civilian agency's Cisco Firepower device running ASA firmware was compromised in September 2025 by a persistent backdoor dubbed FIRESTARTER. The ELF bootkit alters the startup mount list and attempts to hook LINA to execute arbitrary shellcode and sustain post-patching persistence. Cisco recommends reimaging; a cold power cycle is a temporary mitigation.
read more →

Forever Student Mindset: AI, Phishing, and Q1 2026 Trends

🔍 Cisco Talos highlights Q1 2026 incident response trends, noting phishing has reclaimed the top initial access vector and adversaries are using AI platforms like Softr to rapidly create convincing credential-harvesting pages. Talos IR reported zero completed ransomware deployments this quarter due to swift mitigation, though pre-ransomware activity still accounted for 18% of engagements. The team warns attackers increasingly abuse legitimate developer tools and cloud APIs to quietly hunt exposed secrets, complicating detection. Organizations should enforce MFA with restricted self-enrollment, centralize logging in a SIEM, and prioritize patch management to preserve forensic evidence and reduce risk.
read more →

UAT-4356 Targets Cisco Firepower with FIRESTARTER Backdoor

🔐 Cisco Talos reports that UAT-4356 exploited FXOS n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deploy a custom backdoor named FIRESTARTER on Cisco Firepower, ASA and FTD appliances. The implant injects into the LINA process, replaces a WebVPN XML handler, and executes shellcode delivered via specially crafted requests. Operators should follow Cisco advisories for detection, remediation and recommended software upgrades.
read more →

CISA Malware Analysis: FIRESTARTER Backdoor on Cisco

🔒 CISA and the U.K. NCSC analyzed a sample of the FIRESTARTER Linux ELF backdoor affecting Cisco Firepower and Secure Firewall devices running ASA/FTD. The agency assesses the malware provides persistent remote access, installs a hook into LINA to execute arbitrary shellcode, and can survive firmware updates and reboots. CISA provides YARA rules for detection and directs U.S. FCEB agencies to collect and submit core dumps per V1: ED 25-03, and to await further guidance.
read more →

CISA Warns of FIRESTARTER Targeting Cisco ASA Devices

🔒 CISA published a malware analysis on FIRESTARTER, a backdoor that enables remote access and persistent control of Cisco Firepower and Secure Firewall devices running ASA or FTD software. The report, co-sealed with NCSC-UK, attributes exploitation to an APT using CVE-2025-20333 and CVE-2025-20362. CISA issued Emergency Directive 25-03 requiring FCEB agencies to identify affected devices, collect forensic data, apply vendor updates, and report findings to mitigate ongoing risk.
read more →

macOS LOTL Techniques Enable Stealthy Enterprise Attacks

🔍 Cisco Talos research (published 21 April) details how attackers are repurposing native macOS features to execute code, move laterally and evade detection across enterprise environments. Built-in capabilities such as Remote Application Scripting (RAS), Spotlight metadata and AppleScript can be abused to run commands, hide payloads and perform covert data transfer. The findings show gaps in visibility and recommend shifting to process-lineage analysis and tighter MDM controls to reduce exposure.
read more →

CISA flags new SD-WAN flaw as actively exploited in attacks

⚠️ CISA has flagged an information-disclosure vulnerability in Catalyst SD-WAN Manager (CVE-2026-20133) as actively exploited and gave federal agencies four days to secure affected systems. Cisco released patches in late February, stating the flaw is caused by insufficient file system access restrictions that can allow unauthenticated API access to sensitive OS information. CISA added the issue to its Known Exploited Vulnerabilities Catalog on April 20 and directed agencies to follow Emergency Directive 26-03 and Cisco hardening guidance or discontinue affected cloud services if mitigations are unavailable.
read more →

CISA Adds Eight Exploited Flaws to KEV Catalog, Fixes Needed

⚠️ CISA added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation and highlighting three flaws in Cisco Catalyst SD-WAN Manager. The list includes high-impact issues such as CVE-2025-32975 (Quest KACE SMA, CVSS 10.0) and authentication, path traversal, and XSS flaws in PaperCut, TeamCity, Kentico, and Zimbra. CISA noted prior ties of CVE-2023-27351 to Lace Tempest and recent Arctic Wolf telemetry on KACE abuse; Cisco confirmed active exploitation of two SD-WAN flaws in March 2026. Federal civilian agencies are urged to remediate the three Cisco vulnerabilities by April 23, 2026, and the remaining flaws by May 4, 2026.
read more →

Flawed Cisco Update Risks Blocking AP Firmware Patches

⚠️ Cisco issued an IOS XE library update that causes a specific log file on many Catalyst and Wi‑Fi 6 access points to grow by about 5MB per day, potentially filling flash and preventing future firmware upgrades. Administrators should run Cisco’s WLANPoller tool or manually inspect the boot partition with show boot and perform mandatory prechecks close to maintenance windows. If flash is already exhausted an AP may require reboot, manual cleanup, vendor emergency script, or physical intervention to avoid being bricked.
read more →