All news with #cisco tag

🔒 Ransomware attacks inflict both operational and deep personal harm, often devastating small businesses lacking cash reserves and cybersecurity expertise. Research underscores lasting trauma, exhaustion, and financial ruin that can outlast technical recovery. Organizations should pair an incident response plan with compassionate leadership and employee support. Cisco Talos also warns of evolving supply‑chain campaigns targeting developers and job seekers, reinforcing the need for layered defenses.

🔒 Trend Micro detailed a campaign exploiting CVE-2025-20352 that installed Linux rootkits on exposed Cisco switches and routers, enabling persistent unauthorized access. The attackers combined an SNMP remote code execution with a modified Telnet flaw (based on CVE-2017-3881) to read and write device memory and deploy fileless backdoors. Affected models include Cisco 9400, 9300 and legacy 3750G series. Device owners should apply Cisco patches, disable or harden SNMP and restrict management access.

🛡️ Researchers disclosed a campaign, Operation Zero Disco, that exploited a recently patched SNMP stack overflow (CVE-2025-20352) in Cisco IOS and IOS XE devices to deploy Linux rootkits on older, unprotected switches. The attackers achieved remote code execution and persistence by installing hooks into IOSd memory and setting universal passwords that include the string "disco." Targets included legacy 3750G and 9300/9400 series devices lacking EDR protections.

🔍 Talos uncovered a campaign linked to the DPRK-aligned cluster Famous Chollima that used a trojanized Node.js package and a malicious VS Code extension to deliver merged BeaverTail and OtterCookie tooling. The combined JavaScript payloads include a newly observed keylogger and screenshot module alongside clipboard theft, targeted file exfiltration, remote shell access, and cryptocurrency extension stealing. Indicators, C2 addresses, Snort/ClamAV detections, and mitigation guidance are provided.

🛡️ Laura Faria, an incident commander with Cisco Talos Incident Response, discusses leading through chaos, empathy, and teamwork during high-pressure security incidents. She traces a career across multiple cybersecurity vendors and sales roles before joining Talos and stepping into incident command. Laura emphasizes purpose-driven response work, particularly when outages affect critical infrastructure and patient safety. The interview highlights resilience, collaboration, and practical leadership lessons.

⚠️ Cisco Talos disclosed vulnerabilities affecting OpenPLC and the Planet WGR-500 industrial router, including a ModbusTCP denial-of-service and multiple critical flaws in HTTP-handling functions. The OpenPLC issue (TALOS-2025-2223 / CVE-2025-53476) can be triggered by a crafted series of TCP connections to exhaust the ModbusTCP server. Planet WGR-500 vulnerabilities (TALOS-2025-2226–2229 / CVE-2025-54399–54406, CVE-2025-48826) include stack-based buffer overflows, format string, and OS command injection flaws that may lead to memory corruption or arbitrary command execution.

🛡️ Microsoft’s October 2025 Patch Tuesday addresses 175 Microsoft CVEs and 21 non‑Microsoft CVEs, including 17 rated critical and 11 marked important, with three already observed exploited in the wild. Talos highlights active exploitation of CVE-2025-24990 (Agere Modem driver), CVE-2025-59230 (Remote Access Connection Manager), and CVE-2025-47827 (IGEL OS Secure Boot bypass) and urges prompt remediation. Cisco Talos also published new Snort rules to detect many of these exploits and recommends updating patches, removing unsupported drivers, and refreshing IDS/IPS signatures.

🔒 eSentire disclosed a Rust-based backdoor named ChaosBot that leverages Discord channels for command-and-control, allowing operators to perform reconnaissance and execute arbitrary commands on compromised systems. The intrusion, first observed in late September 2025 at a financial services customer, began after attackers used compromised Cisco VPN credentials and an over-privileged Active Directory service account via WMI. Distribution included phishing LNK files that launch PowerShell and display a decoy PDF, while the payload sideloads a malicious DLL through Microsoft Edge to deploy an FRP reverse proxy. ChaosBot supports commands to run shells, capture screenshots, and transfer files, and newer variants employ ETW patching and VM detection to evade analysis.

⚠️ Rockwell Automation reports a stack-based buffer overflow in its Lifecycle Services with Cisco offerings related to the Cisco IOS XE SNMP subsystem (CVE-2025-20352). An authenticated remote actor with low privileges can trigger a denial-of-service, and an actor with higher privileges and administrative access may achieve arbitrary code execution as root. A CVSS v4 score of 6.3 and a CVSS v3 score of 7.7 are provided. Rockwell and Cisco publish updates and mitigations; CISA advises minimizing network exposure and applying vendor fixes or recommended workarounds.

🔐 Cisco Talos confirmed ransomware operators abused Velociraptor, an open-source DFIR endpoint tool, to gain arbitrary command execution in August 2025 by deploying an outdated agent vulnerable to CVE-2025-6264. Talos links the activity with moderate confidence to Storm-2603 based on overlapping tooling and TTPs. Operators used the tool to stage lateral movement, deploy fileless PowerShell encryptors, and deliver multiple ransomware families, severely disrupting VMware ESXi and Windows servers.

🔍 GreyNoise observed a nearly 500% surge in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, jumping from about 200 to roughly 1,300 unique IPs. The firm classified 93% of those IPs as suspicious and 7% as malicious, with most activity geolocated to the U.S. and smaller clusters in the U.K., the Netherlands, Canada and Russia. GreyNoise noted the traffic was targeted and structured and shared a dominant TLS fingerprint with recent Cisco ASA scans.

🔍 Cisco Talos warns a Chinese‑speaking threat group tracked as UAT-8099 is actively compromising misconfigured Microsoft IIS servers to run SEO fraud and harvest high-value data. The actors favor high-reputation domains in universities, technology firms, and telecom providers across India, Thailand, Vietnam, Canada and Brazil to reduce detection. They exploit unrestricted file uploads to install web shells, escalate a guest account to admin, enable RDP and deploy the BadIIS SEO malware, then persist with hidden accounts and VPN/backdoor tools. Talos has published indicators and mitigation guidance, including blocking script execution in upload folders, disabling RDP and enabling MFA.

🔍 A Chinese-speaking cybercrime group tracked as UAT-8099 is hijacking trusted Microsoft IIS servers worldwide to run SEO scams that redirect users to unauthorized adverts and illegal gambling sites. According to Cisco Talos, attackers exploit server vulnerabilities, upload web shells, and conduct reconnaissance before enabling the guest account, escalating privileges and activating RDP. For persistence they deploy SoftEther VPN, EasyTier and the FRP reverse proxy and install the BadIIS malware variants designed to evade detection.

🔐 Cisco Talos recently disclosed activity by a Chinese-speaking cybercrime group tracked as UAT-8099 that compromises legitimate Internet Information Services (IIS) web servers across several countries. The actors use automation, custom malware and persistence techniques to manipulate search results for profit and to exfiltrate sensitive data such as credentials and certificates. Talos notes the group maintains long-term access and actively protects compromised hosts from rival attackers. Organizations should hunt for signs of BadIIS, unauthorized web shells and anomalous RDP/VPN activity and share IOCs promptly.

🔍 Cisco Talos details UAT-8099, a Chinese-speaking cybercrime group that compromises reputable IIS servers to conduct SEO fraud and steal high-value credentials, certificates and configuration files. The actors exploit file-upload weaknesses to deploy ASP.NET web shells, enable RDP, create hidden administrative accounts and install VPN/reverse-proxy tools for persistence. They automate operations with custom scripts, deploy Cobalt Strike via DLL sideloading and install multiple BadIIS variants to manipulate search rankings and redirect mobile users to ads or gambling sites. Talos published IoCs, Snort/ClamAV signatures and mitigation guidance.

⚠ Cisco Talos disclosed five vulnerabilities in NVIDIA's CUDA Toolkit components and one use-after-free flaw in Adobe Acrobat Reader. The Nvidia issues affect tools like cuobjdump (12.8.55) and nvdisasm (12.8.90), where specially crafted fatbin or ELF files can trigger out-of-bounds writes, heap overflows, and potential arbitrary code execution. The Adobe bug (2025.001.20531) involves malicious JavaScript in PDFs that can reuse freed objects, leading to memory corruption and possible remote code execution if a user opens a crafted document.

⚠️More than 48,800 internet-exposed Cisco ASA and FTD appliances remain vulnerable to two remotely exploitable flaws, CVE-2025-20333 and CVE-2025-20362, that allow arbitrary code execution and access to restricted VPN endpoints. Cisco confirmed active exploitation began before patches were available and no workarounds exist. Administrators should restrict VPN web interface exposure, increase logging and monitoring for suspicious VPN activity, and apply vendor fixes immediately.

🛡️ Cisco firewalls were exploited in active zero-day attacks that delivered previously undocumented malware families including RayInitiator and LINE VIPER by chaining CVE-2025-20362 and CVE-2025-20333. Infrastructure and cloud environments faced major pressure this week: Cloudflare mitigated a record 22.2 Tbps DDoS while misconfigured Docker instances enabled ShadowV2 bot operations. Researchers also disclosed Supermicro BMC flaws that could allow malicious firmware implants, and ransomware actors increasingly abuse exposed AWS keys. Prioritize patching, firmware updates, and cloud identity hygiene now.

🔒 A Chinese state-sponsored group tracked as RedNovember carried out a global espionage campaign from June 2024 to July 2025, compromising defense contractors, government agencies, and major corporations by exploiting internet-facing network appliances. The attackers rapidly weaponized disclosed flaws in devices from SonicWall, Ivanti, Cisco, F5, Sophos, and Fortinet, often within 72 hours of public exploit code. They deployed Go-based tools including Pantegana, Cobalt Strike, and SparkRAT, and relied on open-source tooling and legitimate services to obfuscate attribution and maintain persistent access.

⚠️ CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on Sept. 29, 2025, citing evidence of active exploitation. The newly listed issues are CVE-2021-21311 (Adminer SSRF), CVE-2025-20352 (Cisco IOS/IOS XE stack overflow), CVE-2025-10035 (Fortra GoAnywhere deserialization), CVE-2025-59689 (Libraesva command injection), and CVE-2025-32463 (sudo untrusted-control vulnerability). Federal Civilian Executive Branch agencies must remediate these under BOD 22-01, and CISA urges all organizations to prioritize timely fixes as part of standard vulnerability management.