CISA’s Known Exploited Vulnerabilities (KEV) catalog is a “who’s-who” of bugs that are known to be being exploited by (mostly) state actors. It is also a to-do list for every script-kiddie in the world to try and figure out how to exploit.
CISA gave federal agencies ONE WEEK to patch these bugs. The short fuse is likely due to classified intelligence that they have access to. It is very unusual for them to gave agencies just a week to deploy patches.
The Cisco bugs affect their adaptive security appliance and Firepower Threat Defense software. These are super popular and used by millions of businesses in the U.S.
Cisco identified the threat actor as UAT4356 and Microsoft’s Threat Intelligence Center calls them STORM-1849. By whatever name you call them, it appears that they are Chinese backed.
The Cisco attack deploys two backdoors – ‘Line Runner’ and ‘Line Dancer’. Once deployed, the hackers can modify firewall configurations, perform reconnaissance, capture network traffic and exfiltrate it and potentially move laterally. Other than that Mrs. Lincoln, how was the play? This is pretty much “I own you”.
The remaining Five-Eyes countries issued similar warnings. U.K. officials said that a hard reboot (as in yanking out the power cord) stops reinfection, likely meaning that the malware is only memory resident – at this time. Make sure you patch each and every device before reconnecting to the Internet.
This reinforces, after the Ivanti attack, that state sponsored hackers are going after network security devices.
Also added to the KEV list is a vulnerability in the popular FTP program CrushFTP. When exploited, it would allow an unauthenticated hacker to access any sensitive data visible to the FTP server.
Up until now these targets have been selectively exploited.
Now that the hackers know that the cat is out of the bag, it is a full-court press to do as much damage as possible before organizations deploy patches.
PATCH NOW. If you need help, please contact us.
Credit: The Record and Data Breach Today