{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network_sniffing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["high"],"_cs_tags":["cisco_asa","network_sniffing","credential_access"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic detects the execution of packet capture commands on Cisco ASA devices via CLI or ASDM. Adversaries might abuse the built-in packet capture functionality to perform network sniffing, intercept credentials transmitted over the network, capture sensitive data in transit, or gather intelligence about network traffic patterns and internal communications. Packet captures can reveal usernames, passwords, session tokens, and confidential business data. The detection focuses on command execution events (message ID 111008 or 111010) that include \u0026quot;capture\u0026quot; commands, which are used to initiate packet capture sessions on specific interfaces or for specific traffic patterns on the ASA device. This activity is associated with threat actors like LINE VIPER, as documented by NCSC. Detecting unauthorized packet capture activities, especially those targeting sensitive interfaces or involving unusual configurations, is critical for identifying potential intrusions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Cisco ASA device via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ASA device using CLI or ASDM.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u0026quot;configure terminal\u0026quot; command to enter global configuration mode.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u0026quot;capture\u0026quot; command to define a packet capture session, specifying interfaces, traffic patterns, and filters. For example, \u003ccode\u003ecapture capin interface inside match ip any any\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe ASA device starts capturing network traffic based on the defined parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the captured traffic data for analysis, potentially exfiltrating the data to an external server.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the captured data to identify sensitive information, such as usernames, passwords, session tokens, or confidential business data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials or data to further compromise the network or exfiltrate sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform extensive network reconnaissance and potentially steal sensitive credentials and data. This could lead to further compromise of internal systems, data breaches, and financial loss. While specific victim counts are unavailable, the impact is significant due to the potential for widespread data compromise and disruption of network operations. The references note association with advanced actors who use captured data to further their campaigns.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Cisco ASA syslog data ingestion into your SIEM via the Cisco Security Cloud TA to ensure the \u003ccode\u003ecisco_asa\u003c/code\u003e macro is populated (How_to_implement).\u003c/li\u003e\n\u003cli\u003eConfigure Cisco ASA devices to generate and forward message IDs 111008 and 111010, adjusting syslog levels as needed based on the instructions in the \u0026quot;How_to_implement\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Cisco ASA - Suspicious Packet Capture Configuration\u0026quot; to detect unusual packet capture configurations and tune the rule for your environment (rules).\u003c/li\u003e\n\u003cli\u003eReview and investigate any alerts generated by the Sigma rule, focusing on captures targeting sensitive interfaces, large traffic volumes, or unusual filter criteria.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-packet-capture/","summary":"Detection of packet capture commands on Cisco ASA devices indicates potential network sniffing for credential theft, sensitive data interception, or network traffic analysis by adversaries.","title":"Cisco ASA Packet Capture Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-packet-capture/"}],"language":"en","title":"CraftedSignal Threat Feed - Network_sniffing","version":"https://jsonfeed.org/version/1.1"}