Best News Network

Cisco hackers likely taking steps to avoid identification | Computer Weekly

Cisco has shed more light on speculation that has gathered around a sudden drop in the number of hosts known to have been infected with a malware implant delivered through two zero-day vulnerabilities in its IOS XE software platform.

Late last week, scans conducted by threat researchers found many tens of thousands of hosts had been compromised, but over the weekend these numbers fell dramatically.

This prompted much discussion in the security community as to whether or not the unnamed threat actor behind the intrusions was moving to cover their tracks in some way, or whether they had somehow screwed up their operation.

In an update published on Monday 23 October, Cisco’s Talos research unit said it had now observed a second version of the malicious implant – deployed using the first version – which retains most of the same functionality but now includes a preliminary check for an HTTP authorisation header.

“The addition of the header check in the implant by the attackers is likely a reactive measure to prevent identification of compromised systems,” explained the Talos team.

“This header check is primarily used to thwart compromise identification using a previous version of the curl command provided by Talos. Based on the information assessed to date, we believe the addition of the header check in the implant likely resulted in a recent sharp decline in visibility of public-facing infected systems.

“We have updated the curl command listed under our guidance advisory to help enable identification of implant variants employing the HTTP header checks,” they added.

Cisco continues to recommend that IOS XE users immediately implement its previously-published guidance, which still stands, and deploy the fixes outlined in its advisory, which became available on 22 October.

Meanwhile, the UK’s National Cyber Security Centre (NCSC) confirmed on 23 October that it was supporting a number of UK-based organisations known to have been affected, and was continuing to monitor the developing impact of the issues.

The NCSC is recommending following Cisco’s advice, paying particular attention to four priority actions:

  • Check for compromise using the detection methods and indicators of compromise (IoCs) from Cisco;
  • If affected (and UK-based), report this to the NCSC immediately;
  • Disable the HTTP server feature or restrict access to trusted networks on all internet-facing devices;
  • Upgrade to the latest version of Cisco IOS XE.

Network devices becoming popular targets

Jamie Brummell, chief technology officer at managed security services provider (MSSP) Socura, said that the targeting of Cisco appliances by malicious actors reflected broader trends and themes in the threat landscape.

“The Cisco zero-day continues the theme of threat actors targeting network appliances as a substitute for end-user devices.They are being forced to find alternatives to computers, smartphones and other employee devices which increasingly have EDR/EPP agents deployed,” he said.

“Network appliances, once exploited, are largely unprotected and their system logs are rarely monitored. They are often publicly accessible and have privileged access to the internal network. Even worse – especially with a router – they can be used to intercept or redirect traffic.

“Targeting a major company, like Cisco, could give attackers access to tens of thousands of endpoints. Good practice is to ensure access is limited to trusted sources, but in this case the exploitable web interface is enabled by default,” he added.

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.