> While we have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359)
So update but probably remain vulnerable - there is no reason to think CISCO has fixed the original vulnerability.
Irrelevant aside: CISCO could have just reported a couple of zero-days they already knew of. Maybe vendors will start stockpiling zero-days ;-P
1oooqooq 13 days ago [-]
how do you close a door you're required to have open? and how do you notify customers if a fisa order prevents you from doing so?
i wouldn't want to be a network appliance vendor in the usa or cn at this last decade!
robocat 13 days ago [-]
They should at least say (unless too revealing) how they are going to determine the initial access vector used in this campaign.
E.g. say a dedicated team is being financed with $xM.
E.g. say that they are setting up honeypot devices to capture the initial vector.
E.g. say that code is having a complete external audit and fuzz.
I'm not a security expert but if I were a customer I would be pretty dissapointed in the timeline so far and very dissappointed in their respose.
It looks like the vulnerabilities fixed only prevent the Line Runner malware reinstalling itself on boot. And nothing is done about Line Dancer.
1oooqooq 13 days ago [-]
what are you on about? they can't do any of those things, by law
_obviously 13 days ago [-]
This attack is very sophisticated and still the root cause is undiscovered.
mrbluecoat 13 days ago [-]
This should be the opening statement of that article.
hnthrowaway0328 13 days ago [-]
How does one learn to understand these kind of attacks, other than networking and Cisco router OS?
_obviously 4 days ago [-]
WireShark would be a good start
buildbot 14 days ago [-]
It’s interesting how it always the big vendors that seem to suffer attacks like this - is it the more positive angle that simply nobody important uses stuff like opnsense? Or more negatively, not enough people paying attention to catch these attacks?
er4hn 14 days ago [-]
If this were to happen to an OSS product it would likely get a CVE, but it's less likely to get a report on the controller's behind this and a well written page with pretty graphics unless a security researcher wanted to bolster their credentials.
Cisco has enough money to fund their own security company which lets them also investigate issues and issue statements of the form: We are so significant that nation-states target our equipment. We are also so dedicated to security we will write up these reports to show this dedication.
Part of it is it makes them look cool. Part of it is if they don't they risk the govt dragging them through the mud, like CISA did for the MSFT email breach. CISA already releases a lot of alerts on Cisco as it is.
m000 13 days ago [-]
> We are so significant that nation-states target our equipment.
Maybe if they didn't lobby so hard, they would have been spared and Huawei would have been targeted instead. /s
> they risk the govt dragging them through the mud
Lol. Chances are they're probably already in bed with all sorts of 3-letter agencies for things we'll never learn.
hn_version_0023 14 days ago [-]
I think its that anyone important has significant money on the line, and hence wants or requires support contracts for their technicians and engineers. That wildly narrows the range of acceptable choices to pretty much just enterprise vendors (IMO), with the result being a greatly reduction attack surface?
GartzenDeHaes 13 days ago [-]
Might be off topic, but has Cisco ASA improved much in the past four or five years? The one I had years ago was not much use for anything other than basic access rules.
tsujamin 13 days ago [-]
There’s a whole load more checks for “../“ patterns in the web code since the bugs around 2020 :)
insearchoflost 13 days ago [-]
No one who cares and has any say in it had been using ASAs for over a decade.
zmgsabst 13 days ago [-]
Could this kind of attack be used to intercept a WebEx call, say between German generals?
XorNot 13 days ago [-]
I mean I wouldn't worry about that, just wait for one guy to dial in from an unsecured phone in Singapore[1].
"espionage-focused campaign found targeting network devices"
Nice copy.
—"multiple vendors" = Cisco and Microsoft... and others
"these devices need to be routinely and promptly patched; using up-to-date hardware"
Contact sales at xxx...
"Cisco’s position as a leading global network infrastructure vendor gives Talos’ Intelligence and Interdiction team immense visibility into the general state of network hygiene. This also gives us uniquely positioned investigative capability into attacks of this nature."
—Is this a security bulletin or a prospectus? When is a liability an asset? You decide
"Early in 2024, a vigilant customer reached out to both Cisco’s Product Security Incident Response Team (PSIRT) and Cisco Talos to discuss security concerns..."
—More fine copy.
"Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat."
—ABC: Always Be Closing!
"This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably..."
—Several = 15
—List of 100s of vectors and effects over years
"As a part of our ongoing investigation, we have also conducted analysis on possible attribution of this activity. Our attribution assessment is based on the victimology..."
—We still don't know what's going on or why. Order now!
—Re Talos: back in 2008 there was a little upset in bank derivatives due to the standards and practices of a little sector of the bond market called The Ratings Agencies.
—In the tech sector Cisco stock rose sharply on HW sales surge after a critical vulnerability in government systems was exposed in existing HW...
THANK YOU THANK YOU I'LL BE HERE ALL WEEK TRY THE VEAL
1oooqooq 13 days ago [-]
i vote all hn submissions get a summary by ai trained by on comment. then i won't miss /.
hnthrowaway0328 13 days ago [-]
> This implant is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads.
This sounds interesting. I'm eager to see some code.
nuker 13 days ago [-]
All my edge devices would be OpenBSD ones.
These Ciscos and Junipers have a bad history of backdoors.
Rendered at 08:11:43 GMT+0000 (Coordinated Universal Time) with Vercel.
So update but probably remain vulnerable - there is no reason to think CISCO has fixed the original vulnerability.
Irrelevant aside: CISCO could have just reported a couple of zero-days they already knew of. Maybe vendors will start stockpiling zero-days ;-P
i wouldn't want to be a network appliance vendor in the usa or cn at this last decade!
E.g. say a dedicated team is being financed with $xM.
E.g. say that they are setting up honeypot devices to capture the initial vector.
E.g. say that code is having a complete external audit and fuzz.
I'm not a security expert but if I were a customer I would be pretty dissapointed in the timeline so far and very dissappointed in their respose.
It looks like the vulnerabilities fixed only prevent the Line Runner malware reinstalling itself on boot. And nothing is done about Line Dancer.
Cisco has enough money to fund their own security company which lets them also investigate issues and issue statements of the form: We are so significant that nation-states target our equipment. We are also so dedicated to security we will write up these reports to show this dedication.
Part of it is it makes them look cool. Part of it is if they don't they risk the govt dragging them through the mud, like CISA did for the MSFT email breach. CISA already releases a lot of alerts on Cisco as it is.
Maybe if they didn't lobby so hard, they would have been spared and Huawei would have been targeted instead. /s
> they risk the govt dragging them through the mud
Lol. Chances are they're probably already in bed with all sorts of 3-letter agencies for things we'll never learn.
[1] https://www.reuters.com/world/europe/german-minister-says-pa...
Cisco says hackers subverted its security devices to spy on governments
https://news.ycombinator.com/item?id=40174207
Nice copy.
—"multiple vendors" = Cisco and Microsoft... and others
"these devices need to be routinely and promptly patched; using up-to-date hardware"
Contact sales at xxx...
"Cisco’s position as a leading global network infrastructure vendor gives Talos’ Intelligence and Interdiction team immense visibility into the general state of network hygiene. This also gives us uniquely positioned investigative capability into attacks of this nature."
—Is this a security bulletin or a prospectus? When is a liability an asset? You decide
"Early in 2024, a vigilant customer reached out to both Cisco’s Product Security Incident Response Team (PSIRT) and Cisco Talos to discuss security concerns..."
—More fine copy.
"Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat."
—ABC: Always Be Closing!
"This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably..."
—Several = 15
—List of 100s of vectors and effects over years
"As a part of our ongoing investigation, we have also conducted analysis on possible attribution of this activity. Our attribution assessment is based on the victimology..."
—We still don't know what's going on or why. Order now!
—Re Talos: back in 2008 there was a little upset in bank derivatives due to the standards and practices of a little sector of the bond market called The Ratings Agencies.
—In the tech sector Cisco stock rose sharply on HW sales surge after a critical vulnerability in government systems was exposed in existing HW...
THANK YOU THANK YOU I'LL BE HERE ALL WEEK TRY THE VEAL
This sounds interesting. I'm eager to see some code.