https://feed.craftedsignal.io/vendors/cisco/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 24 Apr 2026 05:43:56 +0000https://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/Fri, 24 Apr 2026 05:43:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.A cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.

Attack Chain

1. Attacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).
2. Attacker exploits a vulnerability allowing authentication bypass.
3. Upon successful authentication bypass, the attacker gains unauthorized access to the device.
4. Attacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.
5. The code executes with administrator privileges, granting the attacker full control over the device.
6. Attacker uses the compromised device as a pivot point to move laterally within the network.
7. Attacker compromises additional systems and exfiltrates sensitive data.

Impact

Successful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.

Recommendation

• Deploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.
• Consult Cisco’s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.

]]>criticaladvisoryciscovulnerabilityrceauthentication-bypasshttps://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/Thu, 23 Apr 2026 15:11:53 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.Cisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called “FIRESTARTER,” which shares technical capabilities with RayInitiator’s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco’s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.

Attack Chain

1. UAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.
2. The attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.
3. The FIRESTARTER backdoor is written to /opt/cisco/platform/logs/var/log/svc_samcore.log and the CSP_MOUNT_LIST is updated to copy itself to /usr/bin/lina_cs.
4. After a graceful reboot, FIRESTARTER is executed from /usr/bin/lina_cs.
5. FIRESTARTER restores the original CSP_MOUNT_LIST from /tmp/CSP_MOUNTLIST.tmp and removes the temporary copy and the trojanized /usr/bin/lina_cs file from disk.
6. FIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.
7. FIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the “libstdc++.so” memory region.
8. The attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.

Impact

Compromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.

Recommendation

• Deploy the file integrity monitoring rule to detect the creation or modification of /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log (see “File Creation in Suspicious Directory”).
• Apply software upgrade recommendations outlined in Cisco’s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.
• Monitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.

]]>criticalthreatuat-4356firestarterciscobackdoornetworkespionagehttps://feed.craftedsignal.io/briefs/2026-04-cisco-imc-xss/Thu, 23 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-imc-xss/Multiple cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow a remote attacker to conduct an XSS attack against a user of the interface.Multiple cross-site scripting (XSS) vulnerabilities have been identified in the web-based management interface of the Cisco Integrated Management Controller (IMC). Successful exploitation of these vulnerabilities could allow a remote attacker to inject malicious scripts into the web browser of a user accessing the IMC interface. This could lead to session hijacking, sensitive information disclosure, or other malicious activities performed in the context of the user’s session. The vulnerabilities were disclosed on 2026-04-22, and Cisco has released software updates to address them. There are no known workarounds. This threat is relevant for organizations using Cisco IMC to manage their infrastructure.

Attack Chain

1. Attacker identifies a vulnerable Cisco IMC web interface.
2. Attacker crafts a malicious URL containing a JavaScript payload designed to execute in the context of a victim’s browser session.
3. Attacker delivers the malicious URL to the victim, typically through phishing, social engineering, or by injecting it into a trusted website.
4. Victim clicks on the malicious URL, or the URL is automatically loaded through a compromised website.
5. The victim’s web browser sends an HTTP request to the vulnerable Cisco IMC web server.
6. The Cisco IMC web server reflects the attacker’s malicious JavaScript payload in the HTTP response without proper sanitization.
7. The victim’s web browser executes the malicious JavaScript code.
8. The attacker’s JavaScript code executes within the victim’s browser, allowing the attacker to steal cookies, redirect the user, or perform other actions on behalf of the victim.

Impact

Successful exploitation of these XSS vulnerabilities could allow an attacker to execute arbitrary JavaScript code in the context of a user’s session. This could lead to sensitive information disclosure, such as the theft of session cookies, allowing the attacker to hijack the user’s session and gain unauthorized access to the Cisco IMC. The attacker could also redirect the user to a malicious website or deface the IMC web interface. While the specific number of vulnerable systems is unknown, organizations using Cisco IMC are potentially at risk.

Recommendation

• Apply the software updates released by Cisco to address the vulnerabilities (CVE-2026-20085, CVE-2026-20087, CVE-2026-20088, CVE-2026-20089, CVE-2026-20090).
• Deploy the Sigma rule provided below to detect potential exploitation attempts against the Cisco IMC web interface.
• Monitor web server logs for suspicious HTTP requests containing potentially malicious JavaScript payloads targeting the Cisco IMC web interface.

]]>mediumadvisoryxssciscocimcvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-china-nexus-covert-networks/Thu, 23 Apr 2026 11:22:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-china-nexus-covert-networks/China-nexus cyber actors are increasingly using large-scale networks of compromised devices, including SOHO routers and IoT devices, to obscure the origin of their attacks and conduct various malicious activities, from reconnaissance to data exfiltration.A joint advisory highlights a significant shift in tactics employed by China-nexus cyber actors. They are moving away from using individually procured infrastructure and instead leveraging large-scale, externally provisioned networks of compromised devices. These “covert networks” primarily consist of Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, and smart devices, but can include any vulnerable device that can be exploited at scale. These networks are used for various purposes, including disguising the origin of malicious activity, scanning networks, delivering malware, communicating with compromised systems, exfiltrating stolen data, and conducting general deniable internet browsing to research new TTPs and victim profiles. These networks are constantly updated and could be used by multiple actors.

Attack Chain

1. Initial Compromise: China-nexus actors exploit vulnerabilities in SOHO routers, IoT devices (web cameras, video recorders), firewalls, and NAS devices.
2. Botnet Establishment: Compromised devices are incorporated into a covert network (botnet), often controlled by Chinese information security companies.
3. Reconnaissance: The actors use the botnet to scan target networks, gathering information about potential vulnerabilities and attack surfaces.
4. Exploitation: Leveraging the compromised network to mask their origin, the actors exploit identified vulnerabilities in target systems.
5. Malware Delivery: The covert network is used to deliver malware payloads to compromised systems within the target network.
6. Command and Control: The actors establish command and control (C2) channels through the compromised network to remotely control the malware and maintain access.
7. Data Exfiltration: Sensitive data is exfiltrated from the compromised network through the covert network, making attribution difficult.
8. Persistence: The actors maintain persistence on compromised systems to ensure continued access and control.

Impact

Compromised networks can lead to the exposure of sensitive data, disruption of critical services, and financial losses. The use of covert networks makes attribution difficult, allowing attackers to operate with impunity. The advisory notes that Volt Typhoon has used these techniques to pre-position on critical national infrastructure. The widespread nature of the networks, comprising potentially hundreds of thousands of endpoints, makes traditional network defense strategies like static IP blocklists less effective. In 2024, one such network, Raptor Train, infected over 200,000 devices worldwide.

Recommendation

• Implement robust patch management practices to keep SOHO routers, IoT devices, and other network devices up-to-date with the latest security patches (reference: Overview).
• Strengthen network perimeter security by implementing intrusion detection and prevention systems (IDPS) to identify and block malicious traffic originating from suspicious or known compromised IP addresses (reference: Attack Chain).
• Monitor network traffic for unusual patterns and anomalies that may indicate the presence of a compromised device or covert network activity (reference: Attack Chain).
• Deploy the Sigma rule “Detect Outbound Connection to Known SOHO Devices” to identify potential compromised devices on your network (reference: rules).
• Segment networks to limit the potential impact of a compromised device or network segment (reference: Protective Advice).

]]>highthreatcovert-networkbotnetchina-nexuscompromised-deviceshttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/Tue, 21 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.Cisco Catalyst SD-WAN Manager is affected by a vulnerability (CVE-2026-20128) that allows for the disclosure of stored passwords. An authenticated, local attacker with low privileges can exploit this vulnerability by accessing a credential file on the filesystem. Successful exploitation grants the attacker DCA user privileges, potentially leading to unauthorized access and control over the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance to mitigate risks associated with Cisco SD-WAN devices. This vulnerability highlights the importance of proper credential management and access controls in network management systems.

Attack Chain

1. An attacker gains low-privileged access to the Cisco Catalyst SD-WAN Manager system through legitimate credentials or other vulnerabilities.
2. The attacker navigates the filesystem to locate the DCA user’s credential file.
3. The attacker reads the credential file, which contains the DCA user’s password in a recoverable format.
4. The attacker decodes or decrypts the password using readily available tools or techniques.
5. The attacker uses the recovered DCA user credentials to authenticate to the SD-WAN Manager with elevated privileges.
6. The attacker leverages the DCA user privileges to perform unauthorized configuration changes or access sensitive data.
7. The attacker potentially pivots to other systems or network segments accessible through the SD-WAN infrastructure.

Impact

Successful exploitation of this vulnerability allows an attacker to gain complete control over the Cisco Catalyst SD-WAN Manager. This could lead to significant disruption of network services, data breaches, and potential compromise of connected systems. The impact is magnified by the widespread use of SD-WAN in enterprise environments, making this a critical vulnerability for organizations utilizing Cisco Catalyst SD-WAN Manager.

Recommendation

• Review and apply the mitigations outlined in CISA’s Emergency Directive 26-03 and associated guidance for Cisco SD-WAN devices, as referenced in the overview.
• Monitor file access events on the Cisco Catalyst SD-WAN Manager system for suspicious access patterns to credential files using the Detect Suspicious SD-WAN Credential File Access Sigma rule.
• Implement stricter access controls and password policies on the Cisco Catalyst SD-WAN Manager to prevent unauthorized access.
• Apply the security updates provided by Cisco to patch CVE-2026-20128 as they become available.

]]>mediumadvisorycve-2026-20128credential-accesssd-wanciscohttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-privilege-escalation/Tue, 21 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-privilege-escalation/Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface, allowing an attacker to upload a malicious file and overwrite arbitrary files to gain vmanage user privileges.Cisco Catalyst SD-WAN Manager is vulnerable to an incorrect use of privileged APIs. This flaw stems from improper file handling within the API interface. An attacker can exploit this vulnerability by uploading a malicious file to the local file system. Successful exploitation allows an attacker to overwrite arbitrary files on the affected system and ultimately gain vmanage user privileges. CISA has released Emergency Directive 26-03 and associated hunt/hardening guidance in response to active exploitation of Cisco SD-WAN vulnerabilities. This issue poses a significant risk to organizations utilizing affected Cisco SD-WAN deployments, as it allows for privilege escalation and potential compromise of the entire SD-WAN infrastructure.

Attack Chain

1. The attacker identifies a vulnerable Cisco Catalyst SD-WAN Manager instance with an exposed API interface.
2. The attacker crafts a malicious file designed to exploit the improper file handling vulnerability (CVE-2026-20122).
3. The attacker uploads the malicious file to the SD-WAN Manager via the vulnerable API endpoint.
4. Due to improper file handling, the uploaded file is written to an arbitrary location on the file system.
5. The malicious file overwrites a critical system file, such as a configuration file or a binary executable used by the vmanage user.
6. The attacker triggers a system event or restart a service that uses the overwritten file.
7. The compromised service or application now executes with the attacker’s injected code, granting the attacker vmanage user privileges.
8. The attacker leverages the vmanage user privileges to further compromise the system or the SD-WAN infrastructure.

Impact

Successful exploitation of this vulnerability (CVE-2026-20122) allows an attacker to overwrite arbitrary files and gain vmanage user privileges on the Cisco Catalyst SD-WAN Manager. This can lead to a complete compromise of the SD-WAN management plane, allowing the attacker to reconfigure the network, intercept traffic, or deploy further malicious payloads to connected devices. Given the critical role of SD-WAN in modern network infrastructure, a successful attack can have widespread impact, affecting business operations and data security. CISA’s involvement via Emergency Directive 26-03 indicates that this vulnerability is likely under active exploitation.

Recommendation

• Immediately apply the mitigations recommended by CISA in Emergency Directive 26-03 and the associated hunt/hardening guidance to reduce exposure to this vulnerability.
• Implement file integrity monitoring on critical system files on the Cisco Catalyst SD-WAN Manager to detect unauthorized modifications.
• Deploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.
• Review and harden the API interface of the SD-WAN Manager to prevent unauthorized file uploads.
• Follow applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

]]>criticalthreatcve-2026-20122privilege-escalationsd-wanhttps://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/Thu, 05 Sep 2024 14:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.The Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.

Attack Chain

1. An attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.
2. The attacker leverages msiexec.exe to create a new scheduled task using the schtasks.exe command, setting it to execute a malicious script or binary.
3. Alternatively, the attacker uses msiexec.exe in conjunction with reg.exe or PowerShell to modify registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run, adding a pointer to their malicious executable.
4. The created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.
5. The system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.
6. The malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.
7. The attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.

Impact

Successful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.

Recommendation

• Monitor process creation events for msiexec.exe spawning schtasks.exe or reg.exe to create scheduled tasks or modify registry run keys (reference: rules in this brief).
• Implement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.
• Review and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.
• Enable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == “file” and file.path … and event.category == “registry” and registry.path … in the rule query).
• Implement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).

]]>mediumadvisorypersistencedefense-evasionwindowshttps://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/Wed, 31 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.This detection rule focuses on identifying suspicious child processes of communication applications such as Slack, Cisco Webex, Microsoft Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows operating systems. Attackers may attempt to masquerade as legitimate processes or exploit vulnerabilities in these applications to execute malicious code. The rule monitors for the creation of child processes by these communication apps and checks if those child processes are unexpected, untrusted, or lack a valid code signature. This detection is crucial because successful exploitation can lead to unauthorized access, data exfiltration, or further compromise of the system. The rule has been actively maintained since August 2023, with updates as recent as May 2026, indicating its relevance and ongoing refinement to address emerging threats.

Attack Chain

1. User launches a communication application (e.g., Slack, Teams, Webex).
2. The communication application executes a vulnerable or compromised component.
3. The compromised component spawns a child process (e.g., powershell.exe, cmd.exe).
4. The child process executes a malicious command or script.
5. The script attempts to download additional payloads from an external source.
6. The payload executes, establishing persistence through registry modification or scheduled tasks.
7. The attacker gains remote access to the system.
8. Data exfiltration or lateral movement within the network occurs.

Impact

A successful attack can lead to the compromise of sensitive data, installation of malware, and potential lateral movement within the organization’s network. By exploiting communication applications, attackers can gain access to internal communications, confidential documents, and user credentials. The number of affected users and the extent of the damage depend on the compromised application and the attacker’s objectives. If successful, this attack may lead to significant financial loss, reputational damage, and disruption of business operations.

Recommendation

• Deploy the Sigma rule Suspicious Communication App Child Process to your SIEM to detect anomalous child processes spawned by communication applications and tune for your environment.
• Enable process creation logging with command line arguments in Windows to ensure that the Sigma rule has the necessary data to function correctly (logsource: process_creation, product: windows).
• Investigate any alerts generated by the rule and review the command line arguments of the spawned processes to identify potential malicious activity.
• Implement application whitelisting to restrict the execution of unauthorized applications and reduce the attack surface.
• Ensure that all communication applications are updated to the latest versions to patch known vulnerabilities and reduce the risk of exploitation.
• Examine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server, referencing the setup guide.

]]>mediumadvisorydefense-evasionpersistencewindowshttps://feed.craftedsignal.io/briefs/2024-01-cisco-sdwan-info-disclosure/Fri, 19 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cisco-sdwan-info-disclosure/Cisco Catalyst SD-WAN Manager contains an information disclosure vulnerability (CVE-2026-20133) that could allow remote attackers to view sensitive information on affected systems, requiring immediate patching or mitigation.Cisco Catalyst SD-WAN Manager is susceptible to an information disclosure vulnerability, identified as CVE-2026-20133. The vulnerability allows unauthorized remote attackers to potentially gain access to sensitive information residing on affected systems. While the exact nature of the disclosed information isn’t specified in the advisory, it could encompass configuration details, user credentials, or other sensitive data critical for the secure operation of the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance, highlighting the severity and urging immediate action. The directive impacts organizations utilizing Cisco SD-WAN devices and emphasizes the need for thorough risk assessment and implementation of provided mitigation strategies.

Attack Chain

1. Vulnerability Discovery: An attacker identifies a publicly accessible endpoint or API within the Cisco Catalyst SD-WAN Manager that is vulnerable to CVE-2026-20133.
2. Unauthorized Request: The attacker crafts a malicious HTTP request targeting the vulnerable endpoint, exploiting the lack of proper authorization checks or input validation.
3. Information Exposure: The SD-WAN Manager processes the request and, due to the vulnerability, inadvertently discloses sensitive information. This could be in the form of a file, database content, or API response.
4. Data Extraction: The attacker captures the exposed data from the response, potentially including configuration files, usernames, passwords, or other sensitive credentials.
5. Credential Compromise: The attacker uses the extracted credentials to gain unauthorized access to other systems within the SD-WAN environment or the broader network.
6. Lateral Movement: Leveraging compromised credentials, the attacker moves laterally across the network, targeting critical systems and data.
7. Data Exfiltration / System Compromise: The attacker exfiltrates sensitive data or achieves complete system compromise, depending on the attacker’s objectives.

Impact

Successful exploitation of CVE-2026-20133 can lead to significant consequences, including the compromise of sensitive data, unauthorized access to critical systems, and potential disruption of network operations. Given the central role of SD-WAN managers in controlling network traffic and security policies, a successful attack can have a wide-ranging impact. The number of potentially affected organizations is substantial due to the widespread adoption of Cisco SD-WAN solutions. The impact can include data breaches, financial loss, reputational damage, and regulatory penalties.

Recommendation

• Immediately assess your exposure to CVE-2026-20133 by following CISA’s Emergency Directive 26-03 mitigation instructions.
• Apply the necessary patches or workarounds provided by Cisco to remediate the vulnerability as outlined in Cisco’s security advisory.
• If patches are unavailable or cannot be immediately applied, implement the hardening guidance provided in CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices”.
• For cloud-based deployments, adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
• Deploy the following Sigma rule to detect suspicious HTTP requests targeting potential vulnerable endpoints of the Cisco Catalyst SD-WAN Manager.

]]>highadvisorycvevulnerabilityciscosd-wanhttps://feed.craftedsignal.io/briefs/2024-01-cisco-dot1x-disabled/Wed, 03 Jan 2024 18:23:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cisco-dot1x-disabled/Detection of manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface, potentially allowing unauthorized network access and lateral movement.The disabling of 802.1X authentication on a Cisco network device can bypass Network Access Control (NAC) mechanisms, potentially granting unauthorized devices access to the internal network. Attackers or malicious insiders might disable dot1x to establish persistence or facilitate lateral movement by connecting rogue devices to the network. This can be accomplished through CLI commands such as ‘access-session port-control force-authorized’ or ’no dot1x system-auth-control’, depending on the IOS version. These commands either disable 802.1X on a specific interface or globally across the device. The targeted scope is Cisco network devices utilizing 802.1X for network access control.

Attack Chain

1. Attacker gains privileged access to a Cisco network device via compromised credentials or exploiting a vulnerability.
2. Attacker executes CLI commands to disable 802.1X authentication on a specific interface or globally.
3. Commands used may include ‘access-session port-control force-authorized’, ‘authentication port-control force-authorized’, ‘dot1x port-control force-authorized’, ’no access-session port-control’, ’no authentication port-control’, ’no dot1x port-control’, or ’no dot1x system-auth-control’.
4. The network interface transitions to a force-authorized state, bypassing the normal authentication process.
5. An unauthorized device is connected to the compromised network interface.
6. The unauthorized device gains network access without proper authentication or authorization.
7. The attacker leverages the unauthorized access for lateral movement to other systems on the network.
8. The attacker exfiltrates sensitive data or deploys malicious payloads across the network.

Impact

Successful disabling of dot1x can lead to unauthorized network access, allowing attackers to bypass security controls. This can result in the compromise of sensitive data, the spread of malware, and the disruption of network services. The number of affected devices and the scope of the compromise depend on the network architecture and the attacker’s objectives. The impact could range from a single compromised workstation to a full-scale network breach affecting thousands of devices and users.

Recommendation

• Deploy the Sigma rule Cisco Dot1x Disabled to your SIEM to detect the execution of commands that disable 802.1X authentication.
• Monitor Cisco AAA logs for events containing keywords such as ‘access-session port-control force-authorized’ and ’no dot1x system-auth-control’ to identify potential attempts to disable dot1x.
• Implement multi-factor authentication (MFA) for all administrative access to Cisco network devices to prevent unauthorized command execution.
• Regularly review and audit the configuration of Cisco network devices to ensure that 802.1X is enabled and properly configured on all relevant interfaces.

]]>mediumadvisoryattack.defense-evasionattack.persistenceattack.credential-accessattack.t1562.001attack.t1556.004https://feed.craftedsignal.io/briefs/2024-01-direct-syscall-process-access/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-direct-syscall-process-access/Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.This detection identifies suspicious process access events on Windows systems where a process attempts to access another process’s memory via direct system calls, bypassing standard Windows API calls. Endpoint security solutions often hook userland Windows APIs to detect malicious code execution. Attackers can evade these hooks by directly invoking syscalls, which are lower-level instructions that interact directly with the operating system kernel. The rule specifically looks for process access events (Sysmon Event ID 10) where the call trace does not originate from known Windows system DLLs like ntdll.dll, indicating a potential attempt to bypass security measures. The rule excludes certain legitimate applications, such as Malwarebytes Anti-Exploit, Cisco AMP, Microsoft EdgeWebView, and Adobe Acrobat DC, to reduce false positives. This technique is often employed by advanced malware and red teams to evade detection.

Attack Chain

1. A malicious process is executed on the system, either through user interaction or exploitation of a vulnerability.
2. The process attempts to gain access to another process’s memory space (Target Process).
3. Instead of using standard Windows API calls, the malicious process directly invokes system calls (syscalls) to access the target process’s memory.
4. The CallTrace in the Sysmon event does not originate from expected system DLLs like ntdll.dll, sysfer.dll, wow64cpu.dll, wow64win.dll, or win32u.dll, indicating a direct syscall.
5. The process might attempt to read sensitive information such as credentials, inject malicious code, or manipulate the target process’s behavior.
6. The malicious process performs actions within the context of the target process, such as executing injected code or accessing sensitive data.
7. The attacker leverages the compromised process to achieve their objectives, such as data exfiltration, lateral movement, or privilege escalation.
8. The attacker cleans up any traces of their activity and attempts to maintain persistence on the compromised system.

Impact

Successful exploitation can lead to the compromise of sensitive data, the injection of malicious code into legitimate processes, and the complete takeover of the affected system. This can result in data breaches, financial loss, and reputational damage. The impact is especially significant if the target process holds sensitive credentials, browser secrets, or has security-product context.

Recommendation

• Enable Sysmon process access logging (Event ID 10) with call tracing and ingest the logs into your SIEM to activate the rules above (https://ela.st/sysmon-event-10-setup).
• Deploy the Sigma rules provided in this brief to your SIEM and tune them for your environment to detect direct syscall process access.
• Investigate any alerts generated by these rules, focusing on the SourceImage, TargetImage, GrantedAccess, and CallTrace fields in the Sysmon event to determine the legitimacy of the process access attempt.
• Prioritize investigation of alerts where the target process is lsass.exe or other security-sensitive processes.
• Implement robust endpoint detection and response (EDR) solutions to detect and prevent malicious activity on endpoints.
• Monitor for suspicious process creation events originating from the flagged processes.

]]>highadvisorydefense-evasionexecutionwindowshttps://feed.craftedsignal.io/briefs/2024-01-03-msiexec-remote-download/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-msiexec-remote-download/The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.The detection focuses on identifying instances where msiexec.exe is used with an HTTP or HTTPS URL in the command line. This behavior is indicative of an attempt to download and execute potentially malicious software from a remote server. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. The activity is often used to bypass traditional security controls.

Attack Chain

1. An attacker gains initial access through various means, such as phishing or exploiting a software vulnerability.
2. The attacker leverages msiexec.exe, a legitimate Windows utility, to download a malicious MSI package from a remote HTTP or HTTPS server.
3. The command line includes a URL pointing to a malicious MSI file hosted on a compromised or attacker-controlled server.
4. msiexec.exe downloads the MSI package to the victim’s machine.
5. The MSI package is executed, potentially installing malware, creating new files, or modifying system settings.
6. The installed malware establishes persistence through registry keys or scheduled tasks.
7. The malware initiates command and control (C2) communication to receive further instructions.
8. The attacker performs actions on the objective such as data exfiltration or lateral movement within the compromised network.

Impact

Successful exploitation can lead to unauthorized code execution, system compromise, or further malware deployment within the network. The use of msiexec.exe for remote downloads can bypass traditional security controls, allowing attackers to deliver and execute malicious payloads undetected. The dfirreport.com article references data exfiltration following exploitation via MSIExec.

Recommendation

• Enable Sysmon process-creation logging to activate the rules below, capturing command-line details (Sysmon EventID 1).
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
• Monitor network traffic for connections originating from msiexec.exe to external HTTP/HTTPS URLs (Network Visibility Module Flow Data).
• Investigate any instances of msiexec.exe executing with command-line arguments containing HTTP or HTTPS URLs.
• Filter false positives by destination or parent process as needed based on your environment.

]]>highadvisoryendpointmsiexecremote-downloadwindowshttps://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.This analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. This activity can lead to account compromise and potential ransomware deployment.

Attack Chain

1. The attacker scans the network to identify systems with open RDP ports (TCP 3389).
2. The attacker initiates multiple RDP connection attempts to a target host, using a list of common usernames and passwords or compromised credentials.
3. The firewall logs each connection attempt, recording the source and destination IPs, ports, and timestamps.
4. Sysmon logs the network connections with Event ID 3.
5. The attacker continues to attempt connections, typically exceeding 10 attempts within an hour.
6. Upon successful authentication, the attacker gains unauthorized access to the target system.
7. The attacker may then install malware, move laterally, or exfiltrate sensitive data.
8. The attacker might deploy ransomware like SamSam or Ryuk, as referenced in external reports.

Impact

Successful RDP brute force attacks can lead to unauthorized access to systems, data breaches, malware infections, and ransomware deployment. Compromised systems can be used as a staging point for further attacks within the network. The references indicate that ransomware attacks have been delivered using RDP brute-force techniques.

Recommendation

• Ensure network traffic data is populating the Network_Traffic data model to enable the provided search query.
• Deploy the Sigma rule RDP Bruteforce via Network Traffic to detect brute force attempts based on network connection patterns.
• Adjust the count and duration thresholds in the detection query to tune the sensitivity for your environment.
• Investigate source IPs identified by the detection rule as potential attackers.
• Monitor Sysmon EventID 3 for network connections to detect RDP brute-force attempts.
• Review the referenced Zscaler and ReliaQuest articles for additional context and mitigation strategies.

]]>highadvisoryrdpbruteforcecredential-accesswindowsnetworkhttps://feed.craftedsignal.io/briefs/2024-01-suspicious-lsass-access/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-lsass-access/This rule identifies suspicious access attempts to the LSASS process, potentially indicating credential dumping attempts by filtering out legitimate processes and access patterns to focus on anomalies.The Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for enforcing security policies and handling user authentication. Attackers often target LSASS to extract credentials, enabling unauthorized access and privilege escalation. This detection rule identifies suspicious access attempts to LSASS memory, which may indicate credential dumping activities. It filters out common legitimate processes and access patterns to highlight anomalous behaviors associated with credential theft. The rule is designed to detect unauthorized access attempts by monitoring process access events and filtering out known benign processes that interact with LSASS. It helps defenders identify potential credential access attempts before they lead to significant compromise.

Attack Chain

1. An attacker gains initial access to a system, possibly through phishing or exploitation of a vulnerability.
2. The attacker executes a malicious process or script on the compromised system.
3. The malicious process attempts to gain a handle to the LSASS process.
4. The attacker’s tool requests specific access rights to LSASS, such as ReadProcessMemory (0x0010) or PROCESS_QUERY_INFORMATION (0x0400), which are necessary for memory dumping.
5. The attacker’s process bypasses or disables endpoint detection and response (EDR) solutions to avoid detection.
6. The tool dumps the LSASS memory, extracting sensitive information like usernames, passwords, and Kerberos tickets.
7. The attacker uses the extracted credentials to move laterally within the network, accessing other systems and resources.
8. The attacker achieves their objective, such as data exfiltration or deployment of ransomware.

Impact

A successful LSASS memory dump can lead to the compromise of domain credentials, allowing attackers to move laterally within the network and gain access to sensitive data and systems. This can result in data breaches, financial loss, and reputational damage. Organizations across all sectors are vulnerable, particularly those with weak credential management practices. A single compromised account can lead to widespread damage, potentially affecting thousands of systems.

Recommendation

• Enable Sysmon process access event logging (Event ID 10) as described in the setup instructions linked in the rule to collect the necessary data.
• Deploy the Sigma rule “Suspicious Lsass Process Access” to your SIEM and tune the exclusions based on your environment to reduce false positives.
• Review and harden privileged account management practices to limit the impact of credential compromise.
• Monitor systems for unusual process creation events, especially those spawning from unexpected locations, to identify potential initial access points.
• Regularly scan systems for vulnerabilities and apply patches to prevent exploitation.

]]>mediumadvisorycredential-accesslsasswindowshttps://feed.craftedsignal.io/briefs/2024-01-run-key-registry-modification/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-run-key-registry-modification/Attackers modify registry run keys or startup keys to achieve persistence by referencing a program that executes when a user logs in or the system boots.Attackers often modify registry run keys to achieve persistence on a system. By adding entries to these keys, they ensure that a malicious program executes automatically whenever a user logs in. This technique allows the attacker to maintain access to the compromised system even after reboots or other interruptions. The programs added to these run keys execute under the context of the user account, inheriting its permissions. This activity is often difficult to distinguish from legitimate software installations or updates, requiring careful analysis to identify malicious intent. Elastic has observed this activity and created a detection rule to identify this behavior.

Attack Chain

1. The attacker gains initial access to the target system.
2. The attacker identifies registry run key locations for persistence.
3. The attacker modifies a registry run key (e.g., HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) using tools such as reg.exe.
4. The attacker adds a malicious executable path to the registry key.
5. The system is restarted, or a user logs in.
6. The malicious executable is launched automatically as part of the logon process.
7. The malicious executable establishes a connection to a command-and-control server.
8. The attacker gains remote access to the compromised system.

Impact

Successful exploitation allows attackers to maintain persistent access to compromised systems, enabling them to perform unauthorized activities such as data theft, lateral movement, and deployment of ransomware. While each instance may not cause immediate critical damage, the cumulative effect of multiple persistent infections across an environment can lead to significant data breaches and operational disruption. The Elastic rule attempts to minimize false positives with built-in filters for common legitimate applications and processes like ctfmon.exe, but tuning is required.

Recommendation

• Deploy the Sigma rule provided below to detect suspicious modifications to registry run keys and tune it to filter out legitimate application updates.
• Enable registry event logging to capture modifications made to the registry, ensuring that the Sigma rule can function correctly.
• Investigate any alerts generated by the Sigma rule, examining the parent process of the process modifying the registry for suspicious activity.
• Block known malicious executables and domains identified during triage to prevent further infection.
• Use endpoint detection and response (EDR) solutions like Elastic Defend to gain enhanced visibility into endpoint activity and detect malicious behavior associated with persistence mechanisms.

]]>lowadvisorypersistenceregistryrunkeyhttps://feed.craftedsignal.io/briefs/2024-01-masquerading-communication-apps/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-masquerading-communication-apps/Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications. This involves using names and icons that resemble trusted applications like Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird to trick users and bypass security measures. This technique can be used to conceal malicious activity, bypass allowlists, or trick users into executing malware. The detection rule identifies suspicious instances by checking for unsigned or improperly signed processes, ensuring they match known trusted signatures, which helps in flagging potential threats that mimic trusted communication tools.

Attack Chain

1. An attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.
2. The attacker deploys a malicious executable onto the compromised system.
3. The attacker renames the malicious executable to resemble a legitimate communication application, such as “slack.exe” or “Teams.exe”.
4. The attacker modifies or removes the code signature of the malicious executable to avoid detection based on trusted publishers.
5. The attacker executes the renamed and potentially unsigned malicious executable.
6. The masqueraded process performs malicious actions, such as establishing a reverse shell or downloading additional payloads.
7. The attacker uses the compromised system to move laterally within the network, escalating privileges and compromising additional systems.
8. The final objective is to exfiltrate sensitive data or deploy ransomware.

Impact

Successful masquerading attacks can lead to significant security breaches, including data theft, system compromise, and financial loss. By disguising malicious processes as legitimate communication apps, attackers can bypass security controls and operate undetected for extended periods. This can result in widespread damage and disruption, as well as reputational damage for the targeted organization. The impact can range from a few compromised systems to a complete network takeover, depending on the attacker’s objectives and the effectiveness of the masquerading technique.

Recommendation

• Deploy the Sigma rule “Potential Masquerading as Communication Apps - Generic” to your SIEM and tune for your environment to detect unsigned or improperly signed communication applications.
• Deploy the Sigma rule “Potential Masquerading as Communication Apps - Specific” to your SIEM and tune for your environment to detect unsigned or improperly signed instances of specific communication applications.
• Enable process creation logging on Windows systems to capture the necessary events for the Sigma rules.
• Review and validate the code signatures of all communication apps on your systems to ensure they are properly signed by trusted entities.
• Implement application control policies to restrict the execution of unsigned or untrusted executables.

]]>mediumadvisorydefense-evasionmasqueradingwindowshttps://feed.craftedsignal.io/briefs/2024-01-lateral-tool-transfer-smb/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-lateral-tool-transfer-smb/The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.This detection rule identifies the potential transfer of malicious tools within a Windows environment using SMB shares. Attackers commonly leverage SMB shares to propagate malware, tools, or scripts to compromised systems for lateral movement. The rule focuses on detecting the creation or modification of executable files (e.g., .exe, .dll, .ps1) on network shares, which is a strong indicator of malicious activity. The rule leverages Elastic Defend data to detect this activity and can be used to identify systems that may be compromised. This technique is used to deploy additional payloads, credential dumpers, or other malicious tools.

Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker identifies accessible SMB shares within the compromised environment.
3. The attacker uses the compromised system to connect to a target SMB share (port 445) on another system.
4. The attacker copies an executable file (e.g., malware, a credential dumping tool, or a PowerShell script) to the SMB share.
5. The target system detects a new file creation or change event on the SMB share.
6. A user or process on the target system executes the transferred file.
7. The executed file performs malicious actions on the target system, such as credential theft or lateral movement.
8. The attacker uses the newly compromised system to further expand their access within the network.

Impact

Successful exploitation allows attackers to propagate malware or malicious tools throughout the network, leading to widespread compromise. Lateral movement enables attackers to access sensitive data, escalate privileges, and ultimately achieve their objectives, which may include data exfiltration, ransomware deployment, or system disruption. The rule aims to detect this activity early in the attack chain and mitigate potential damage.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect suspicious executable file creation/modification events on SMB shares.
• Enable Elastic Defend on all Windows endpoints to provide the necessary data for the detection rule to function.
• Investigate any alerts triggered by the Sigma rules, focusing on the process execution chain, file reputation, and user activity.
• Review and restrict write access to network shares to minimize the risk of unauthorized file transfers.
• Monitor network connections to port 445 (SMB) for suspicious activity, especially connections originating from unusual source IPs (Sigma rule, log source).

]]>mediumthreatlateral-movementsmbfile-transferwindowshttps://feed.craftedsignal.io/briefs/2024-01-03-outbound-smb/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-outbound-smb/This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.This detection identifies outbound Server Message Block (SMB) traffic from internal hosts to external servers. The activity is identified by monitoring network traffic for SMB requests directed towards the Internet, an unusual occurrence in standard operations. This analytic is crucial for Security Operations Centers (SOCs) as it can signal an attacker’s attempt to retrieve credential hashes via compromised internal systems, a critical step in lateral movement and privilege escalation. The source mentions specific relevance to “Hidden Cobra Malware”, “DHS Report TA18-074A”, and “NOBELIUM Group”, suggesting possible connections to these threat actors or campaigns.

Attack Chain

1. An internal host is compromised through an initial access vector (e.g., phishing, exploit).
2. The attacker attempts to enumerate network resources accessible from the compromised host.
3. The attacker leverages SMB to connect to external servers, typically on ports 139 or 445.
4. The SMB connection attempts to authenticate or negotiate with the external server.
5. The attacker may attempt to exploit vulnerabilities in the SMB protocol or server.
6. The attacker captures or relays credential hashes transmitted over the SMB connection.
7. The attacker uses the captured credentials to move laterally to other systems or escalate privileges.
8. The attacker achieves their final objective, such as data exfiltration or system compromise.

Impact

Successful exploitation of outbound SMB traffic can lead to unauthorized access to sensitive data and full system compromise. Lateral movement and privilege escalation are key goals. Confirmed malicious SMB traffic could enable attackers to move through the network, potentially impacting numerous systems and leading to significant data breaches. While the number of victims isn’t specified, the detection’s relevance to known threat actors suggests potentially widespread impact.

Recommendation

• Deploy the Sigma rule Outbound SMB Traffic Detected to your SIEM and tune it for your environment, using the provided positive and negative test cases to ensure accurate detection.
• Investigate and block any detected outbound SMB connections that are not explicitly authorized by legitimate business needs (reference detect_outbound_smb_traffic_filter macro in the original search).
• Implement network segmentation to restrict internal hosts from directly accessing external SMB services.
• Enforce strong password policies and multi-factor authentication to mitigate the impact of credential theft.
• Categorize internal CIDR blocks as internal in your asset management system to reduce false positives (reference “known_false_positives” section).
• Consider blocking external communications of all SMB versions and related protocols at the network boundary.

]]>highadvisorynetworksmblateral-movementprivilege-escalationhttps://feed.craftedsignal.io/briefs/2024-01-cisco-aci-cloudsec/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cisco-aci-cloudsec/A vulnerability in Cisco ACI Multi-Site CloudSec encryption allows a remote attacker to read or modify intersite encrypted traffic due to a flaw in cipher implementation.A vulnerability exists within the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches when operating in ACI mode. This flaw enables an unauthenticated, remote adversary to potentially decipher and manipulate encrypted traffic traversing between sites. The vulnerability, identified as CVE-2023-20185, originates from an issue in the cipher implementation employed by the CloudSec encryption feature. Cisco has deprecated and removed the affected ACI Multi-Site CloudSec encryption feature.

Attack Chain

1. Attacker establishes a network position on-path between ACI sites.
2. The attacker intercepts intersite encrypted traffic.
3. The attacker analyzes the captured traffic.
4. The attacker exploits the weak cipher implementation.
5. The attacker decrypts the intercepted traffic.
6. The attacker reads sensitive data within the decrypted traffic.
7. The attacker modifies the decrypted traffic.
8. The attacker re-encrypts (or forwards unencrypted) the modified traffic toward the destination.

Impact

Successful exploitation of CVE-2023-20185 allows unauthorized reading and modification of data transmitted between ACI sites. The impact can range from data breaches and intellectual property theft to manipulated financial transactions and compromised control systems. The lack of a workaround necessitates immediate action to mitigate the risk.

Recommendation

• Apply configuration changes to remove usage of the CloudSec encryption feature.
• Monitor network traffic for unusual patterns indicative of man-in-the-middle attacks targeting intersite communication.
• Deploy the Sigma rules provided below to detect potential exploitation attempts targeting intersite traffic.

]]>highadvisorycve-2023-20185information-disclosurenetworkhttps://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-masquerading-business-apps/Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.Attackers often attempt to trick users into downloading and executing malicious executables by disguising them as legitimate business applications. This tactic is used to bypass security measures and gain initial access to a system. These malicious executables, often distributed via malicious ads, forum posts, and tutorials, mimic the names of commonly used applications such as Slack, WebEx, Teams, Discord, and Zoom. The executables are typically unsigned or signed with invalid certificates to further evade detection. This allows the attacker to execute arbitrary code on the victim’s machine, potentially leading to further compromise. This campaign aims to target end-users who are less security-aware, and this makes social engineering attacks like this very effective.

Attack Chain

1. The user visits a compromised website or clicks on a malicious advertisement.
2. The user is prompted to download an installer file masquerading as a legitimate business application (e.g., Slack, Zoom, Teams) from a download directory.
3. The downloaded executable is placed in the user’s Downloads folder (e.g., C:\Users*\Downloads*).
4. The user executes the downloaded file.
5. The executable, lacking a valid code signature, begins execution.
6. The malicious installer may drop and execute additional malware components.
7. The malware establishes persistence, potentially using techniques such as registry key modification.
8. The malware performs malicious activities, such as data exfiltration or lateral movement.

Impact

Successful execution of a masqueraded business application installer can lead to a complete system compromise. The attacker gains initial access and can deploy various malware payloads, including ransomware, keyloggers, and data stealers. This can result in data breaches, financial loss, and reputational damage. Although the specific number of victims and sectors targeted are not detailed, the widespread use of the applications being spoofed (Slack, Zoom, etc.) suggests a broad potential impact.

Recommendation

• Implement the Sigma rule Potential Masquerading as Business App Installer to detect unsigned executables resembling legitimate business applications in download directories.
• Enable process creation logging to capture the execution of unsigned executables.
• Educate users on the risks of downloading and executing files from untrusted sources.
• Implement application whitelisting to restrict the execution of unauthorized applications.
• Regularly update endpoint detection and response (EDR) tools to detect and prevent the execution of known malware.
• Monitor process execution events for processes originating from the Downloads folder that lack valid code signatures.

]]>mediumadvisorymasqueradingdefense-evasioninitial-accessmalwarewindowshttps://feed.craftedsignal.io/briefs/2024-01-large-icmp-traffic/Tue, 02 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-large-icmp-traffic/This analytic identifies excessive ICMP traffic to external IP addresses exceeding 1,000 bytes, potentially indicating command and control activity, data exfiltration, or covert communication channels.This detection focuses on identifying anomalous ICMP (Internet Control Message Protocol) traffic indicative of malicious activity. ICMP is typically used for network diagnostics but can be abused for covert communication, data exfiltration, or command-and-control (C2) by threat actors. This analytic identifies ICMP traffic exceeding 1,000 bytes directed toward external IP addresses, filtering out internal networks. The detection logic leverages the Network_Traffic data model. Validated malicious instances may signal ICMP tunneling, unauthorized data transfer, or compromised endpoints. The data sources for this analytic include Palo Alto Network Traffic and Cisco Secure Access Firewall logs.

Attack Chain

1. An attacker compromises a host within the network.
2. The compromised host initiates ICMP traffic to an external IP address.
3. The ICMP traffic exceeds 1000 bytes, evading default network monitoring thresholds.
4. The attacker uses ICMP to tunnel data, bypassing normal data transfer protocols.
5. The compromised host uses ICMP for command and control, receiving instructions from the external attacker.
6. The attacker establishes a covert communication channel using ICMP, masking their activity within normal network traffic.
7. Sensitive data is exfiltrated via ICMP packets to the attacker-controlled external server.

Impact

Successful exploitation through large ICMP traffic can lead to data breaches, unauthorized access to internal resources, and the establishment of persistent command and control within the network. ICMP tunneling can bypass traditional security measures, allowing attackers to operate undetected. The impact of successful exploitation includes the potential compromise of sensitive data, disruption of network services, and financial loss.

Recommendation

• Deploy the Sigma rule Detect Large ICMP Traffic to your SIEM and tune the byte threshold (currently 1000 bytes) based on your network baseline to minimize false positives.
• Investigate any alerts generated by the Detect Large ICMP Traffic rule, focusing on the source and destination IPs involved.
• Examine network traffic logs for patterns indicative of ICMP tunneling or covert communication channels, using the provided data sources.
• Utilize the provided search View the detection results to review related events and potential lateral movement.
• Implement the provided search View risk events to look at risk factors for the involved assets.

]]>mediumadvisorynetwork-trafficcommand-and-controldata-exfiltration