All news with #cisco tag

🔐 Cisco Talos is the threat intelligence and security research arm that underpins Cisco's defensive products. Its telemetry-driven intelligence feeds reputation and detection services across the portfolio, including SNORT and SnortML for deep packet inspection and zero-day detection. Talos also powers web and DNS filtering, email threat prevention, layered malware protection, and investigative tooling such as Orbital and Talos IR.

🔐 This article outlines seven certification programs from leading vendors that validate skills in converged, cloud-native Secure Access Service Edge (SASE) architectures. It summarizes entry to professional-level credentials from Cato Networks, Cisco, Fortinet, Netskope, Palo Alto Networks, Versa, and Zscaler, highlighting target audiences, exam formats, costs, and key competencies such as SD‑WAN, ZTNA, CASB and FWaaS. The piece also notes Gartner’s market projection and emphasizes that these credentials address a widening skills gap as enterprises migrate from perimeter-based defenses.

⚡ Over the past week attackers exploited flaws in edge and network products from Fortinet, SonicWall, Cisco, and WatchGuard, targeting firewalls and appliances to gain deeper access. Browser extensions and Android TVs were abused for data theft and botnet recruitment. Campaigns by groups such as Ink Dragon, Kimsuky, and LongNosedGoblin deployed implants and innovative delivery chains, highlighting the urgent need for rapid patching, inventory verification, and tighter controls on trusted systems.

🔒 Security researchers observed a coordinated credential-stuffing campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect portals over a two-day span in mid-December. GreyNoise reported millions of automated login sessions from more than 10,000 unique IPs, using a consistent TCP fingerprint and a Firefox-like user agent. The activity did not exploit software flaws but instead relied on large-scale username/password probes. Analysts urged enforcing strong passwords and MFA, auditing exposed edge devices, and leveraging threat-intel blocklists to filter malicious traffic.

⚠️ Cisco Talos has identified an active campaign exploiting a zero-day in AsyncOS, impacting Cisco Secure Email Gateway, Cisco Secure Email and Web Manager. The flaw targets systems with the spam quarantine feature enabled and has been active since at least late November; a vendor patch is not yet available. Cisco currently recommends wiping and rebuilding compromised devices, and analysts urge restricting access to management ports and deploying compensating controls while organizations plan remediation.

🔐 An automated password-spraying campaign is targeting multiple VPN platforms, with credential-based attacks observed against Palo Alto Networks GlobalProtect portals and Cisco SSL VPN gateways. GreyNoise recorded login attempts peaking at 1.7 million over 16 hours from more than 10,000 unique IPs, largely originating from the 3xK GmbH hosting space. The actor reused common username/password combinations and used an unusual Firefox user agent, indicating scripted credential probing rather than exploitation. Administrators are advised to enforce strong passwords, enable MFA, audit appliances, and block known malicious IPs.

⚠️ Cisco warns a China-linked actor is actively exploiting a previously unknown zero-day in its Secure Email appliances to gain persistent access when the Spam Quarantine feature is enabled and exposed to the internet. Cisco Talos reports activity since at least late November and says no patch is available. In confirmed compromises, Cisco advises wiping and rebuilding affected appliances to remove persistence; organizations should immediately restrict access to management ports and apply compensating controls while awaiting a fix.

🚨 Cisco has warned of a maximum-severity zero-day in AsyncOS (CVE-2025-20393) that is actively exploited by a China-nexus APT tracked as UAT-9686. The flaw carries a CVSS score of 10.0 and can allow arbitrary command execution as root when the Spam Quarantine feature is enabled and reachable from the internet. Cisco observed attacks since late November 2025 and advises isolating affected appliances, restricting internet access, tightening authentication, monitoring web logs, and rebuilding compromised units until a patch is available.

🔔 Cisco Talos disclosed multiple vulnerabilities affecting libbiosig, Grassroot DiCoM, and Smallstep step-ca. The issues include stack-based buffer overflows in libbiosig’s MFER parser that may allow arbitrary code execution, several out-of-bounds reads in DiCoM that can leak sensitive data, and an authentication bypass in step-ca enabling unauthorized certificate issuance. Vendors have released patches in accordance with Cisco’s disclosure policy; administrators should apply updates promptly and obtain the latest Snort rule sets to detect exploitation attempts.

🔒 Cisco Talos identified a targeted campaign, tracked as UAT-9686, that compromises appliances running Cisco AsyncOS, including Secure Email Gateway and Secure Email and Web Manager. The actor, assessed as a Chinese-nexus APT, deployed a Python backdoor called AquaShell that decodes specially crafted HTTP POSTs and executes system shell commands after being placed in a web server file. Operators also used a Go-based reverse SSH tool (AquaTunnel), Chisel for tunneling, and a log wiper named AquaPurge. Cisco has published advisories and recommends following remediation guidance and opening cases with TAC if IOCs are observed.

🔔 CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entries are CVE-2025-20393 (Cisco multiple products, improper input validation), CVE-2025-40602 (SonicWall SMA1000, missing authorization), and CVE-2025-59374 (ASUS Live Update, embedded malicious code). These flaws are frequent attack vectors that pose significant risks to federal and nonfederal organizations. Agencies covered by BOD 22-01 must remediate by the required due dates; CISA urges all organizations to prioritize mitigation.

🛡️ Microsoft released its December 2025 Patch Tuesday addressing 57 vulnerabilities, two labeled as critical and the remainder as important. Cisco Talos notes Microsoft assessed exploitation of the two critical issues as less likely, while several important flaws are considered more likely to be attacked. Talos published Snort and Snort 3 rules to detect exploitation attempts and recommends updating firewall SRUs and applying vendor patches promptly.

🔒 Cisco Talos disclosed multiple vulnerabilities across Dell ControlVault, the Entr'ouvert Lasso SAML library, and the GL.iNet Slate AX travel router. Issues range from a hard-coded password and privilege escalation in ControlVault to memory corruption and buffer overflows that can enable arbitrary code execution, a type confusion bug and DoS in Lasso, and an OTA firmware downgrade in GL.iNet. Vendors have issued patches under Cisco’s disclosure policy and Snort rule updates are available to detect exploitation. Administrators should apply vendor updates, verify OTA integrity mechanisms, and deploy IDS signatures promptly.

🛡️ This edition of Talos Threat Source urges a simple behavioral shift: practice care in what, how, and why you share information during the holiday season and beyond. The briefing highlights operational pressures as teams run lean and attackers intensify phishing and supply‑chain campaigns, and it outlines practical changes such as retiring obsolete ClamAV signatures and encouraging feature‑release container tags for better security maintenance. Thoughtful, timely sharing of tips, IOCs, and status updates can materially improve collective resilience when resources are constrained.

🔔 Cisco Talos has introduced a new Severity rule group for Snort3 in Cisco Secure Firewall, grouping detection rules by CVSS-derived severity tiers (low, medium, high, critical). Administrators can set coverage by time range — from the last two years up to all historical vulnerabilities — to balance detection depth and performance. This makes it easier to align rules with patch cycles, compliance needs, and organizational risk priorities while reducing manual tuning.

🛰️ Cisco Talos revisits the Feb. 24, 2022 KA‑SAT incident where attackers abused a VPN appliance vulnerability to access management systems and deploy the AcidRain wiper. The malware erased modem and router firmware and configs, disrupting satellite communications for many Ukrainian users and unexpectedly severing remote monitoring for ~5,800 German Enercon wind turbines. The piece highlights forensic gaps, links to VPNFilter-era tooling, and the operational choices defenders face when repair or replacement are on the table.

🔒 Amazon Threat Intelligence disclosed an advanced APT campaign that weaponized zero-day vulnerabilities in Citrix NetScaler (Citrix Bleed 2, CVE-2025-5777) and Cisco Identity Services Engine (CVE-2025-20337). Attackers achieved pre-auth remote code execution via input-validation and deserialization flaws and deployed an in-memory web shell masquerading as the ISE IdentityAuditAction component. The implant registered as a Tomcat HTTP listener, used DES with nonstandard Base-64 encoding, required specific HTTP headers, and relied on Java reflection and bespoke decoding routines to evade detection.

🔒 CISA has ordered U.S. federal agencies to fully patch two actively exploited vulnerabilities in Cisco firewall appliances within 24 hours. Tracked as CVE-2025-20362 and CVE-2025-20333, the flaws permit unauthenticated access to restricted URL endpoints and remote code execution; chained together they can yield full device takeover. The agency emphasized applying the latest updates to all ASA and Firepower devices immediately, not just Internet-facing units.

🐙 Kraken is a Russian-speaking ransomware group active since February 2025 that conducts double-extortion, big-game hunting campaigns across multiple regions. In a documented intrusion Talos observed, attackers exploited SMB flaws for access, used Cloudflared for persistence, exfiltrated data via SSHFS, then deployed cross-platform encryptors for Windows, Linux and ESXi. The family includes on-host benchmarking to tune encryption, and Talos maps detections and IOCs to Cisco protections to aid response.

🔐 This ThreatsDay Bulletin surveys major cyber activity shaping November 2025, from exploited Cisco zero‑days and active malware campaigns to regulatory moves and AI-related leaks. Highlights include CISA's emergency directive after some Cisco updates remained vulnerable, a large-scale study finding 65% of AI firms leaked secrets on GitHub, and a prolific phishing operation abusing Facebook Business Suite. The roundup stresses practical mitigations—verify patch versions, enable secret scanning, and strengthen incident reporting and red‑teaming practices.