Exploit | Bach Seat

Tag Archive for Exploit

RB | November 2, 2023

Comments Off

What’s Up with the Cisco XE Vulnerability

What's Up with the Cisco XE Vulnerability If you are using Cisco (CSCO) switches or routers that run on IOS XE software, you may be at risk of a serious security breach. A vulnerability (CVE-2023-20198) affecting the web user interface (UI) of IOS XE software has been actively exploited by cyber threat actors to take control of affected devices. This vulnerability allows an attacker to send malicious HTTP requests to the web UI and execute arbitrary commands with elevated privileges.

What is the Cisco IOS XE Vulnerability?

The Cisco IOS XE vulnerability is a command injection vulnerability that affects the web UI feature of IOS XE software. CERT Orange Cyberdefense discovered more than 34,500 IOS XE IPs compromised by the 10/10 vulnerability. The web UI is a web-based management interface that allows users to configure and monitor Cisco devices through a web browser. Cisco’s web UI feature is enabled by default on the base image and can be enabled or disabled through the command-line interface (CLI).

The vulnerability exists because the web UI does not properly validate the user input in the HTTP requests. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the web UI that contain malicious commands. These commands are then executed with root privileges on the underlying operating system. Root grants the attacker full control over the device.

The attacker does not need to authenticate to the web UI to exploit this vulnerability. What they need is access to the web UI through the network. This means that any device that has the web UI exposed to the internet or an untrusted network is vulnerable.

How Can This Vulnerability Impact Your Network?

Data theft The impact of this vulnerability depends on the role and configuration of the device in your network. An attacker who gains control of a Cisco device can use it to perform various malicious actions, such as:

Modify or delete the device configuration.
Install malware or backdoors on the device.
Redirect or intercept network traffic.
Launch attacks against other devices or networks.
Exfiltrate sensitive data from the device or network.

Depending on the device type and location, these actions can have serious consequences for your network. For example, an attacker who compromises a core switch or router can disrupt or manipulate the network traffic for a large segment of your network, affecting multiple services and users.

What Can You Do to Mitigate the Risk?

What Can You Do to Mitigate the Risk? Cisco has released a patch for this vulnerability. However, Cisco has not patched some versions of IOS XE software. You can check if your device is affected and if there is a fixed version available by visiting the Cisco Security Advisory page. If there is a fixed version for your device, you should apply it as soon as possible.

However, if there is no fixed version for your device yet, or if you cannot apply it immediately, you should take some additional steps to protect your network from this vulnerability. Here are some recommendations:

Disable the web UI feature on your device if you do not need it. You can do this by using the `no ip http server` and `no ip http secure-server` commands in the CLI.
Restrict access to the web UI feature by using access control lists (ACLs) or firewall rules. You should only allow trusted IP addresses or networks to access the web UI. You should also block any unauthorized or external access.
Monitor your network for any suspicious activity. You should use network security tools such as intrusion detection systems (IDS), intrusion prevention systems (IPS), or security information and event management (SIEM) systems to detect and respond to any potential attacks.
Report any information or evidence related to this vulnerability with CISA and Cisco to help them investigate and mitigate this threat.

How Can You Check If Your Device Is Affected?

How Can You Check If Your Device Is Affected? To check if your device is affected by this vulnerability, you need to verify two things: the version of IOS XE software running on your device, and the status of the web UI feature on your device.

Check the version. Check the version of IOS XE software running on your device by using the `show version` command in the CLI. You should compare the output with the list of affected and fixed versions provided by Cisco in the security advisory.

Check the status of the web UI. To do this you use the `show ip http server status` and `show ip http secure-server status` commands in the CLI. You should look for any output that indicates that the web UI feature is enabled or listening on any port.

If your device is running an affected version of IOS XE software and has the web UI feature enabled, you should consider it vulnerable and take immediate action to protect it.

The vulnerability is evolving

The vulnerability is evolving On 10/18/2023 threat intelligencer Censys found over 40,000 vulnerable devices. On 10/21/2023 ONYPHE said its scanning found 1,214 unique compromised IP addresses. That is a 97% decrease nearly overnight. There are number of possible explanations for the rapid decline. Some have argued that the attach is evolving. CERT Orange Cyberdefense speculated it is “a potential trace cleaning step is underway [by the threat actor] to hide the implant.”

rb-

The Cisco IOS XE vulnerability is a serious security issue that affects many Cisco devices running on IOS XE software. You should patch your device as soon as possible because the attacker are evolving the exploit. The ability to hide the exploit will make this a long-term problem on many networks.

How you can help Ukraine!

Related article

Exploit released for critical Cisco IOS XE flaw, many hosts still hacked (Bleeping Computer)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2023, Cisco, Exploit, IOS, Patch

RB | June 30, 2015

Comments Off

How Social Engineering Works

From where I sit in my Bach Seat, it is clear that cyber-attackers will try anything to penetrate your online security. They will even exploit human nature to get access to a firm’s digital assets. In the human world, people who exploit human nature are often called politicians, con-men, or grifters. In the digital domain, we call it social engineering. Most online attackers use some sort of social engineering to get users to do something risky.

Social engineering psychological tricks

Here is a list of 6 psychological tricks that social engineers use to trick staff.

1- Reciprocation – When people are provided with something, they tend to feel obligated and then repay the favor.

2 – Scarcity – People tend to comply when they believe something is in short supply. As an example, consider a spoof email claiming to be from a bank asking the user to comply with a request or else have their account disabled within 24 hours.

3 – Consistency – Once targets have promised to do something, they usually stick to their promises because people do not wish to appear untrustworthy or unreliable. For example, a hacker posing as a company’s IT team could have an employee agree to abide by all security processes, then ask them to do a suspicious task supposedly in line with security requirements.

4 – Liking – Targets are more likely to comply when the social engineer is someone they like. A hacker could use charm via the phone or online to win over an unsuspecting victim.

5 – Authority – People tend to comply when a request comes from a figure of authority. So a targeted email to the finance team that appears to come from the CEO or company president will likely prove effective.

6 – Social validation – People tend to comply when others are doing the same thing. For example, a phishing email might look as if it’s sent to a group of employees, which makes each employee believe the message must be valid if other colleagues also received it.

Conditioned to click

An article at Help Net Security Proofpoint argues that humans are psychologically conditioned (rb- Remember Pavlov’s dogs from Pysch 101?) to click on links. Cyber-criminals leverage this conditioning by designing phishing emails most likely to trigger your automatic click response.

Proofpoint says that social engineering emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department typically expects a <2% click rate on their advertising campaigns.

Steps to protect against social engineering

They offer the following suggestions to protect against social engineering phishing emails:

Understand that you are not being targeted specifically, you and your machine are just collateral damage.
Upgrade your computer from Windows XP (as Microsoft is no longer providing security updates to the OS) or disconnect it from the internet – it’s that dangerous.
Don’t use simple predictable passwords that are easy to crack.

Businesses need to:

Put in place layered security to provide an in-depth defense against the latest attacks and malware.
Run awareness campaigns with your staff telling them not to click on links within social networking emails such as LinkedIn invitations. They should instead open their browser or app, log in, and manage their invites/messages from there.
Deploy new technologies that combine big data security analytics with advanced malware analysis. These technologies provide predictive and click-time defense, end-to-end attack campaign insight. They also offer automated incident containment capabilities through connectors to your existing security layers.

6 Ways to Cope With a Scary Social World (cmswire.com)

Category: Uncategorized | Tags: 2015, Exploit, Human Nature, Phishing, Psychology, Security, Social engineering, Social media, SPAM

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Bach Seat