IT giant Cisco is warning organizations of threat actors exploiting many old vulnerabilities in attacks in the wild. Cisco has updated multiple security advisories to warn of the active exploitation of several old vulnerabilities impacting its products.
Cisco Talos (Tactical Assault Light Operator Suit) is publishing a glimpse into the most prevalent threats. This post will summarize some of the threats and how to protect against these threats.
Additionally, keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis.
Some Prevalent Threats Are Highlighted Below:
| THREAT NAME | TYPE | DESCRIPTION |
| Win.Malware.Ursu-9845004-0 | Malware | Ursu is a generic malware that has numerous functions. It contacts a C2 server and performs code injection in the address space of legitimate processes. It achieves persistence and collects confidential data after being spread via email. |
| Win.Downloader.Banload-9846782-0 | Downloader | Banload is a banking trojan believed to be developed by Brazilian cybercriminals and is used primarily to infect machines in Latin America. One notable aspect of Banload is its use of custom kernel-drivers to evade detection. |
| Win.Virus.Xpiror-9845473-1 | Virus | Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks. |
Cisco released security updates to address these and other vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
Organizations are recommended to review Cisco’s advisories and apply security patches released by the company. CISCO encourages users and administrators to review the following advisories and apply the necessary updates:
- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SSL/TLS Client Denial of Service Vulnerability cisco-sa-ssl-client-dos-cCrQPkA
- Cisco Secure Firewall 3100 Series Secure Boot Bypass Vulnerability cisco-sa-fw3100-secure-boot-5M8mUh266
- Cisco Firepower Threat Defense Software Generic Routing Encapsulation Denial of Service Vulnerability cisco-sa-ftd-gre-dos-hmedHQPM
- Cisco FirePOWER Software for ASA FirePOWER Module, Firepower Management Center Software, and NGIPS Software SNMP Default Credential Vulnerability cisco-sa-fmcsfr-snmp-access-6gqgtJ4S
- Cisco Firepower Management Center and Firepower Threat Defense Software SSH Denial of Service Vulnerability cisco-sa-fmc-dos-OwEunWJN
- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SNMP Denial of Service Vulnerability cisco-sa-asaftd-snmp-dos-qsqBNM6x
- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Dynamic Access Policies Denial of Service Vulnerability cisco-sa-asa-ftd-dap-dos-GhYZBxDU
Additional Resources:
Cisco Security Advisories: https://tools.cisco.com/security/center/publicationListing.x
Cisco Security Vulnerability Policy: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
For further clarifications or support, please write to contact@paradigmitcyber.com
