Cisco Secure Alert

Cisco Secure is leading the way with integrated solutions for detection and response against attacks.

State-Sponsored Campaigns Target Global Network Infrastructure

Cisco is deeply concerned by increases in high-sophistication attacks on network infrastructure, as well as indications that state-sponsored actors are targeting routers and firewalls globally.  

Recently, the UK’s National Cyber Security Center (NCSC) released a report on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco had published a patch for in 2017. Cisco encourages you to familiarize yourself with these advisories, as well as previously released patch and mitigation steps. 

Guidance for CVE-2023-23397 (Microsoft Outlook, privilege escalation)

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.

As of 15-March-2023, Kenna Security scored CVE-2023-23397 with a risk score of 74 out of 100 — higher than 99 percent of all the vulnerabilities it has scored. However, the risk score is expected to rise once proof-of-concept exploit code becomes available.

Guidance for recent OpenSSL 3.x vulnerability disclosure

On October 25, 2022, the OpenSSL project alerted the public to a high level security release scheduled for November 1, 2022. The full scope of the vulnerability is explained in the Talos blog and Cisco Security Advisory. Based on details released by the OpenSSL project, the vulnerabilities covered in CVE-2022-3602 and CVE 2022-3786 apply to OpenSSL versions 3.0.0 to 3.0.6. OpenSSL versions 1.0.2 and 1.1.1 are not affected by this upcoming announcement. Click the links below for more up-to-date information.

Guidance for ongoing cyberattacks in Ukraine

U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends global organizations with ties to Ukraine should carefully consider how to isolate and monitor those connections to protect themselves from potential collateral damage. CISA released additional steps organizations could take to protect themselves.

Defensive capabilities to consider by cyber defenders

Defensive capability Impact
Strong segmentation policies and dynamic based control Restrict lateral movement and dynamically add controls based on assets and server needs. In the event of compromise dynamically limit access and reduce the blast radius.
Visibility into assets and how they communicate Asset inventory and leverage this insight for dynamic control. Base line what normal network activity looks like on the network to detect deviations – operational networks are fairly static, and this gives defenders an advantage. Do not overlook this capability in both business and operational networks.
System hygiene and understanding vulnerability risk Understanding the full risk allows for precision-based prioritization, limits downtime, while reducing resource constraints when trying to patch 100% of everything even when the risk cannot be realized.
Network based controls and inspection at gateways of entry for example DNS, NGFW, NGIPS, WAF, AMP, URL, Email, CASB. Protecting at the network decreases the risk of the asset being compromised. Protecting farthest away from the assets is always preferred since protecting at the asset requires 100% efficacy or one will be compromised

Strong network-based controls with advanced warning systems engaged:

  • DNS is leveraged to communicate to exploit kit servers, CNC, attack infrastructure in general. Mitigation at the DNS layer is a first line of defense and very efficient mitigating control
  • Crafted payloads can take advantage of configuration weakness or vulnerabilities (system and/or applications) and this is where NGIPs and WAFs come into play.
  • Malware from the network tries to make its way to the user increasing the risk of compromise. Malware mitigation at the DNS, firewall, email, and web layers offers the defender an advantage
  • Email is still the #1 attack vector and business email compromise continue to rise. Mitigating threats within email reduces overall risk significantly
  • SaaS based services also increased risk for data loss and access to these services may allow the advisory the ability to data transfer to the cloud. Controlling access to cloud-based services is key and understanding how cloud-based services are being access may indicate a breach.

Note: TLS Decryption is a MUST and if you are NOT doing it, you are at high risk of missing threats embedded inside the encryption channel (no IPS and no Malware inspection on majority of your traffic). You become 100% reliant on your endpoint (victim) to mitigate the risk

BGP monitoring, DDOS protection, GEO Control Monitor your prefixes and alert in case of an 'interesting' path change. Path changes can be of different kinds, such as more specifics, change of as path, change of origin AS, Transit AS or any combination of these, leading to such threats as blackholed traffic or traffic redirection and interception. DDOS mitigation for enterprise-based application attacks to volumetric attacks. GEO based policies add one more layer and forces the advisory to pivot to other GEOs giving all defenders a change to detect these nefarious activities.
Cloud based visibility and control including API risk and exposure Ensure cloud-based services and infrastructure meets compliance needs and is monitored for weaknesses including APIs. Behavioral monitoring of the network across multi-cloud environment gives defenders an advantage and pulls together the full story.
Endpoint protection, detection, and response and browser isolation This is the last line of defense before compromise and an opportunity to mitigate. Multiple engines are key including sandboxing of unknown files but in the event of compromise tracking all activities will empower responders with insight into what took place and ultimately allow for better controls once understood and mitigate reinfection. When protecting high valued targeted individuals such as C-Suite, Accounting, IT and so on it may make sense to consider browser isolation to ensure endpoints are not compromised if the web sites visited are nefarious and meant to cause compromise.
Multi-Factor Authentication Username and passwords alone have enabled adversaries to gain access to too many systems and two factor authentication is a must. This should cover all critical services which includes SaaS, web front ends, VPN, RDP/SSH and so on.
Security awareness training The human element is still a key element and one of the biggest advantages the defender has in their tool kit. Education empowers the users to be part of the overall security posture, and this include mitigation and detection. Never underestimate the power of humans.
Incident Response and Threat Hunting Tools are required to help augment the incident and response process which includes real time data collection and summarization, orchestration, and automation to reduce the time to respond and time to mitigate and eradicate. It is also time to revisit your overall plans and playbooks to ensure all is in line in the event of exposure. Consider the following exercises such as network reviews, red teaming, overall readiness assessment, emergency response teams, processes, and support channels are in place.

Sorry, no results matched your search criteria(s). Please try again.

Incident Response Services

Have you been impacted? Contact Cisco Talos Incident Response. We are available globally, 24 hours a day, every day of the year. Contact us:

Previous attacks

Critical Apache Log4j vulnerability being exploited in the wild

Organizations should upgrade either Log4j or the applications that use this library following vendor instructions as soon as possible. If it's not possible to update them, follow the mitigations recommended by the Apache Foundation in the threat advisory.

Read blog >

REvil and Kaseya VSA supply chain attack

Activate incident response plans immediately for REvil - Kaseya supply chain attack.

Hafnium/Microsoft Exchange Server exploitation

Protect your organization from the March 2021 Hafnium attack targeting Microsoft Exchange Server.

SolarWinds supply chain attack

Learn how to move forward after the December 2020 SolarWinds supply chain attack.

Teamwork closes the gap

Every Cisco Secure customer is entitled to the Cisco SecureX platform. See the value of SecureX integrations today and unlock every Cisco Secure product's full potential, speeding your investment time to value.