Cisco Warns Hackers Exploited Critical Bug Since 2023
▼ Summary
– A critical vulnerability (rated 10.0) in Cisco’s Catalyst SD-WAN products has been exploited by hackers for remote network access for at least three years.
– Exploiting this bug allows attackers to gain the highest permissions and maintain persistent, hidden access to spy on or steal data from victim networks.
– The U.S. CISA has ordered federal civilian agencies to patch their systems immediately due to an imminent threat, with some affected organizations being critical infrastructure.
– Multiple allied governments have issued a global alert about these attacks, though the specific threat actors or nation-states behind them have not been publicly attributed.
– This follows a similar critical vulnerability in Cisco’s Async software that was actively exploited in December, highlighting a pattern of severe security issues.
Cisco has issued a critical warning that a severe vulnerability in its widely used Catalyst SD-WAN Manager software has been actively exploited by hackers since at least 2023. This flaw, which carries the maximum severity rating of 10.0, poses a significant threat to large enterprises and government agencies that rely on these systems to connect geographically dispersed private networks. The exploitation allows attackers to remotely compromise networks, gain the highest administrative privileges, and establish persistent, hidden access for long-term espionage or data theft.
The vulnerability enables threat actors to remotely break into networks and maintain persistent hidden access. By targeting this bug over the internet, hackers can seize complete control of the affected SD-WAN devices. This level of access provides a powerful foothold within an organization’s infrastructure, allowing malicious activity to go undetected for extended periods. Once inside, attackers can move laterally, exfiltrate sensitive information, and monitor communications without raising immediate alarms.
Cisco’s security researchers, upon discovering the flaw, traced evidence of its exploitation back to the previous year. The company indicated that some of the impacted organizations operate critical infrastructure, though specific names were not disclosed. The term “critical infrastructure” encompasses essential services like power grids, water treatment facilities, and transportation networks, making the potential consequences of these intrusions particularly severe.
In response to the active threat, a coalition of governments including the United States, United Kingdom, Canada, Australia, and New Zealand issued a joint cybersecurity alert. They warned that threat actors are targeting organizations on a global scale. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) took decisive action, mandating all civilian federal agencies to apply the necessary security patches by the end of the day on Friday. CISA cited an “imminent threat” and an “unacceptable risk” to federal systems, a directive made even as the agency itself operates with reduced staffing due to a partial government shutdown.
While neither Cisco nor the government alerts attributed the attacks to a specific threat group or nation-state, researchers are tracking one cluster of this malicious activity under the identifier UAT-8616. This incident follows a similar high-severity warning from Cisco in December regarding a separate 10.0-rated vulnerability in its AsyncOS software, which was also being actively used to infiltrate customer networks at that time. The recurrence of such critical flaws underscores the persistent and evolving challenges in securing complex enterprise networking environments.
(Source: TechCrunch)
