Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations

Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations

by | Feb 29, 2024 | News

The Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners are releasing this joint Cybersecurity Advisory (CSA) to warn of Russian state-sponsored cyber actors’ use of compromised Ubiquiti EdgeRouters (EdgeRouters) to facilitate malicious cyber operations worldwide. The FBI, NSA, US Cyber Command, and international partners – including authorities from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom — assess the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium), have used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools.

This advisory provides observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommendations to mitigate the threat posed by APT28 threat actors related to compromised EdgeRouters. Given the global popularity of EdgeRouters, the FBI and its international partners urge EdgeRouter network defenders and users to apply immediately the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents associated with APT28 activity. Ubiquiti EdgeRouters have a user-friendly, Linux-based operating system that makes them popular for both consumers and malicious cyber actors. EdgeRouters are often shipped with default credentials and limited to no firewall protections to accommodate wireless internet service providers (WISPs). Additionally, EdgeRouters do not automatically update firmware unless a consumer configures them to do so.

DOWNLOAD THE FULL JOINT CYBERSECURITY ADVISORY

CSA_Russian APT28_022924

 

Blackswan CEO Mike Saylor Earns Doctor of Business Administration, Specializing in Computer and Information Systems Security

Blackswan CEO Mike Saylor Earns Doctor of Business Administration, Specializing in Computer and Information Systems Security

by | Feb 21, 2024 | News

Blackswan CEO Mike Saylor Earns Doctor of Business Administration, Specializing in Computer and Information Systems Security

DrSaylor2024

Blackswan Cybersecurity is thrilled to announce the successful defense of Blackswan CEO Mike Saylor’s dissertation, earning him the distinction of Doctor of Business Administration, specializing in Computer and Information Systems Security.

Dr. Saylor’s dedication and hard work have culminated in a groundbreaking study that sheds light on crucial qualitative factors impacting the cybersecurity workforce deficit. His intention to share these invaluable insights with workforce working groups, including NICE, demonstrates his commitment to advancing the conversation around adequate workforce training and education.

Blackswan looks forward to the publication of Dr. Saylor’s study, which should contribute significantly to the greater cybersecurity community’s understanding of the challenges and solutions around workforce deficit. #cybersecurityjobs #cybersecurityworkforce #DrMikeSaylor #cybersecurity #congratulations

Akira Ransomware Exploiting Cisco ASA/FTD Bug (CVE-2020-3259)

Akira Ransomware Exploiting Cisco ASA/FTD Bug (CVE-2020-3259)

by | Feb 20, 2024 | Threat Advisories

Akira Ransomware Exploiting Cisco ASA/FTD Bug (CVE-2020-3259)

DOWNLOAD PDF

SUMMARY

CISA added CVE-2020-3259 to the Known Exploited Vulnerabilities catalog for a now-patched vulnerability affecting Cisco ASA and FTD software. The high-severity information disclosure issue could allow attackers to retrieve memory contents from affected devices. The Akira ransomware group appears to be exploiting this vulnerability to compromise Cisco Anyconnect SSL VPN appliances.

RISK SCORING

CVE-ID Score
CVE-2020-3259 7.5

 

TECHNICAL DETAILS

This is an information disclosure vulnerability found in the web services interface of Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products. It allows a remote, unauthenticated attacker to extract potentially sensitive data from an affected device’s memory, including credentials. Although Cisco patched the flaw in 2020, it gained attention recently when Truesec discovered evidence suggesting exploitation by the Akira ransomware group.

Truesec’s analysis of a recent incident response engagement, where Akira ransomware was involved and Cisco Anyconnect SSL VPN was the entry point, revealed that at least six compromised devices were running different versions of the vulnerable software.

AFFECTED PRODUCTS

Cisco Adaptive Security Appliance (ASA):

  • Cisco ASA 9.x prior to release 9.51
  • Cisco ASA 9.6 prior to release 9.6.4.41
  • Cisco ASA 9.7 prior to release 9.71
  • Cisco ASA 9.8 prior to release 9.8.4.20
  • Cisco ASA 9.9 prior to release 9.9.2.67
  • Cisco ASA 9.10 prior to release 9.10.1.40
  • Cisco ASA 9.12 prior to release 9.12.3.9
  • Cisco ASA 9.13 prior to release 9.13.1.10

Cisco Firepower Threat Defense (FTD):

  • Cisco FTD 6,x prior to release 6.2.31
  • Cisco FTD 6.2.3 prior to release 6.2.3.16
  • Cisco FTD 6.3.0 prior to release 6.3.0.6
  • Cisco FTD 6.4.0 prior to release 6.4.0.9
  • Cisco FTD 6.5.0 prior to release 6.5.0.5

SOLUTION

Update Cisco Adaptive Security Appliance (ASA) to the respective release, as follows:

  • Cisco ASA release 9.51
  • Cisco ASA release 9.6.4.41
  • Cisco ASA release 9.71
  • Cisco ASA release 9.8.4.20
  • Cisco ASA release 9.9.2.67
  • Cisco ASA release 9.10.1.40
  • Cisco ASA release 9.12.3.9
  • Cisco ASA release 9.13.1.10

Updated Cisco Firepower Threat Defense (FTD) to the respective release, as follows:

  • Cisco FTD release 6.2.31
  • Cisco FTD release 6.2.3.16
  • Cisco FTD release 6.3.0.6
  • Cisco FTD release 6.4.0.9
  • Cisco FTD release 6.5.0.5

MITIGATIONS

  • Upgrade to the latest available version for ASA / FTD.
  • For devices that are managed using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy.
  • For devices that are managed using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy.
  • Implement MFA on all accounts and services where it is possible, especially for Client VPN connections.
  • Force a password change, especially if there are accounts in the environment that were not changed after the version upgrade.
  • Change secret and pre-shared keys in device configurations if not changed after the version upgrade.

REFERENCES

 

Akira Ransomware Exploiting Cisco ASA/FTD Bug (CVE-2020-3259)

CISA Releases Seventeen Industrial Control Systems Advisories

by | Feb 16, 2024 | Threat Advisories

CISA Releases Seventeen Industrial Control Systems Advisories

DOWNLOAD PDF

Summary

CISA released seventeen Industrial Control Systems (ICS) advisories on February 15, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisories (linked above) for technical details and mitigations.

Akira Ransomware Exploiting Cisco ASA/FTD Bug (CVE-2020-3259)

Cisco Expressway Gateways (Critical)

by | Feb 12, 2024 | Threat Advisories

Cisco Expressway Gateways (Critical)

DOWNLOAD PDF

SUMMARY

Cisco reported three vulnerabilities impacting its Expressway Series collaboration gateways, with two rated as critical severity and potentially exposing susceptible devices to cross-site request forgery (CSRF) attacks.

RISK SCORING

CVE-ID                           CVSSv3 Score

CVE-2024-20252            9.6

CVE-2024-20254            9.6

CVE-2024-20255            8.2

VULNERABILITY DETAILS

CSRF vulnerabilities can be exploited by attackers to deceive authenticated users into unwittingly initiating malicious actions. This includes activities like adding unauthorized user accounts, executing arbitrary code, acquiring administrative privileges, and other unauthorized actions, typically by enticing users to click on malicious links or visit attacker-controlled web pages.

CVE-2024-20252 and CVE-2024-20254:

Unauthenticated attackers can exploit the two critical CSRF vulnerabilities in Expressway gateways to target unpatched devices remotely. CVE-2024-20252 specifically targets gateways where the cluster database (CDB) API feature has been activated, limiting its exploitability to those configurations.  By convincing a user to click on a specially crafted link, attackers could execute arbitrary actions with the user’s privilege level. If the affected user has administrative privileges, this could result in modifying system configurations and creating new privileged accounts. Note: these vulnerabilities impact Cisco Expressway Series devices in their default configurations.

CVE-2024-20255:

The CSRF security vulnerability can also enable attackers to manipulate the configuration of vulnerable systems and induce denial of service conditions. CVE-2024-20252 specifically targets gateways where the cluster database (CDB) API feature has been activated, limiting its exploitability to those configurations.

AFFECTED PRODUCTS

  • Expressway Series: 14.0 and older, 15.0
  • Cisco TelePresence Video Communication Server: All versions

SOLUTIONS

  • Update to Expressway Series: 14.3.4 and 15.0.0
  • Cisco says it will not release security updates for the Cisco TelePresence Video Communication Server (VCS) gateway to address the three vulnerabilities since they have reached the end-of-support date on December 31, 2023.

REFERENCES