State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor, attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). "UAT4356

Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services

Cisco is warning about a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024. "These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Cisco Talos said. Successful attacks could

Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems

The Russia-linked threat actor known as Turla infected several systems belonging to an unnamed European non-governmental organization (NGO) in order to deploy a backdoor called TinyTurla-NG (TTNG). "The attackers compromised the first system, established persistence and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions," Cisco

Hackers Exploiting Popular Document Publishing Sites for Phishing Attacks

Threat actors are leveraging digital document publishing (DDP) sites hosted on platforms like FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet for carrying out phishing, credential harvesting, and session token theft, once again underscoring how threat actors are repurposing legitimate services for malicious ends. "Hosting phishing lures on DDP sites increases the likelihood

TimbreStealer Malware Spreading via Tax-themed Phishing Scam Targets IT Users

Mexican users have been targeted with tax-themed phishing lures at least since November 2023 to distribute a previously undocumented Windows malware called TimbreStealer. Cisco Talos, which discovered the activity, described the authors as skilled and that the "threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that it's being likely exploited in Akira ransomware attacks. The vulnerability in question is CVE-2020-

Stealthy Zardoor Backdoor Targets Saudi Islamic Charity Organization

An unnamed Islamic non-profit organization in Saudi Arabia has been targeted as part of a stealthy cyber espionage campaign designed to drop a previously undocumented backdoor called Zardoor. Cisco Talos, which discovered the activity in May 2023, said the campaign has likely persisted since at least March 2021, adding it has identified only one compromised target to date, although it's

Critical Cisco Flaw Lets Hackers Remotely Take Over Unified Comms Systems

Cisco has released patches to address a critical security flaw impacting Unified Communications and Contact Center Solutions products that could permit an unauthenticated, remote attacker to execute arbitrary code on an affected device. Tracked as CVE-2024-20253 (CVSS score: 9.9), the issue stems from improper processing of user-provided data that a threat actor could abuse to send a

Cisco Fixes High-Risk Vulnerability Impacting Unity Connection Software

Cisco has released software updates to address a critical security flaw impacting Unity Connection that could permit an adversary to execute arbitrary commands on the underlying system. Tracked as CVE-2024-20272 (CVSS score: 7.3), the vulnerability is an arbitrary file upload bug residing in the web-based management interface and is the result of a lack of authentication in a specific

8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader

The threat actors behind the 8Base ransomware are leveraging a variant of the Phobos ransomware to conduct their financially motivated attacks. The findings come from Cisco Talos, which has recorded an increase in activity carried out by the cybercriminals. “Most of the group’s Phobos variants are distributed by SmokeLoader, a backdoor trojan," security researcher Guilherme Venere said in an

Backdoor Implanted on Hacked Cisco Devices Modified to Evade Detection

The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices

Cisco Zero-Day Exploited to Implant Malicious Lua Backdoor on Thousands of Devices

Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 (CVSS score: 10.0) as part of an exploit chain. "The

Warning: Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild

Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is tracked as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have the

Cisco Releases Urgent Patch to Fix Critical Flaw in Emergency Responder Systems

Cisco has released updates to address a critical security flaw impacting Emergency Responder that allows unauthenticated, remote attackers to sign into susceptible systems using hard-coded credentials. The vulnerability, tracked as CVE-2023-20101 (CVSS score: 9.8), is due to the presence of static user credentials for the root account that the company said is usually reserved for use during

Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts

Cisco is warning of attempted exploitation of a security flaw in its IOS Software and IOS XE Software that could permit an authenticated remote attacker to achieve remote code execution on affected systems. The medium-severity vulnerability is tracked as CVE-2023-20109, and has a CVSS score of 6.6. It impacts all versions of the software that have the GDOI or G-IKEv2 protocol enabled. The

ShroudedSnooper's HTTPSnoop Backdoor Targets Middle East Telecom Companies

Telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a stealthy backdoor called HTTPSnoop. "HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the

Cybercriminals Weaponizing Legitimate Advanced Installer Tool in Crypto-Mining Attacks

A legitimate Windows tool used for creating software packages called Advanced Installer is being abused by threat actors to drop cryptocurrency-mining malware on infected machines since at least November 2021. "The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses

Cisco Issues Urgent Fix for Authentication Bypass Bug Affecting BroadWorks Platform

Cisco has released security fixes to address multiple security flaws, including a critical bug, that could be exploited by a threat actor to take control of an affected system or cause a denial-of service (DoS) condition. The most severe of the issues is CVE-2023-20238, which has the maximum CVSS severity rating of 10.0. It’s described as an authentication bypass flaw in the Cisco BroadWorks

New Yashma Ransomware Variant Targets Multiple English-Speaking Countries

An unknown threat actor is using a variant of the Yashma ransomware to target various entities in English-speaking countries, Bulgaria, China, and Vietnam at least since June 4, 2023. Cisco Talos, in a new write-up, attributed the operation with moderate confidence to an adversary of likely Vietnamese origin. "The threat actor uses an uncommon technique to deliver the ransom note," security

Hackers Exploit Windows Policy Loophole to Forge Kernel-Mode Driver Signatures

A Microsoft Windows policy loophole has been observed being exploited primarily by native Chinese-speaking threat actors to forge signatures on kernel-mode drivers. "Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates," Cisco Talos said in an exhaustive two-part report shared

Predator Android Spyware: Researchers Uncover New Data Theft Capabilities

Security researchers have detailed the inner workings of the commercial Android spyware called Predator, which is marketed by the Israeli company Intellexa (previously Cytrox). Predator was first documented by Google's Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android. The spyware, which is delivered by means

Critical Flaws in Cisco Small Business Switches Could Allow Remote Attacks

Cisco has released updates to address a set of nine security flaws in its Small Business Series Switches that could be exploited by an unauthenticated, remote attacker to run arbitrary code or cause a denial-of-service (DoS) condition. "These vulnerabilities are due to improper validation of requests that are sent to the web interface," Cisco said, crediting an unnamed external researcher for

Cisco Warns of Vulnerability in Popular Phone Adapter, Urges Migration to Newer Model

Cisco has warned of a critical security flaw in SPA112 2-Port Phone Adapters that it said could be exploited by a remote attacker to execute arbitrary code on affected devices. The issue, tracked as CVE-2023-20126, is rated 9.8 out of a maximum of 10 on the CVSS scoring system. The company credited Catalpa of DBappSecurity for reporting the shortcoming. The product in question makes it possible

Cisco and VMware Release Security Updates to Patch Critical Flaws in their Products

Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems. The most severe of the vulnerabilities is a command injection flaw in Cisco Industrial Network Director (CVE-2023-20036, CVSS score: 9.9), which resides in the web UI component and arises as a result of

U.S. and U.K. Warn of Russian Hackers Exploiting Cisco Router Flaws for Espionage

U.K. and U.S. cybersecurity and intelligence agencies have warned of Russian nation-state actors exploiting now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against select targets. The intrusions, per the authorities, took place in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims

Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques

The threat actor behind the information-stealing malware known as Typhon Reborn has resurfaced with an updated version (V2) that packs in improved capabilities to evade detection and resist analysis. The new version is offered for sale on the criminal underground for $59 per month, $360 per year, or alternatively, for $540 for a lifetime subscription. "The stealer can harvest and exfiltrate

YoroTrooper Stealing Credentials and Information from Government and Energy Organizations

A previously undocumented threat actor dubbed YoroTrooper has been targeting government, energy, and international organizations across Europe as part of a cyber espionage campaign that has been active since at least June 2022. "Information stolen from successful compromises include credentials from multiple applications, browser histories and cookies, system information and screenshots," Cisco