Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Many Cisco Devices Still Vulnerable to NSA-Linked Exploit

Tens of thousands of devices running Cisco’s Adaptive Security Appliance (ASA) software are still vulnerable to attacks leveraging an exploit leaked by a group calling itself Shadow Brokers.

Tens of thousands of devices running Cisco’s Adaptive Security Appliance (ASA) software are still vulnerable to attacks leveraging an exploit leaked by a group calling itself Shadow Brokers.

Shadow Brokers has leaked hundreds of megabytes of firewall exploits and implants allegedly stolen from the NSA-linked threat actor known as the Equation Group. The leak included a zero-day vulnerability in Cisco’s ASA software, which had been used for an exploit dubbed Extrabacon.

Cisco started releasing patches for the affected ASA software roughly ten days after the leak came to light. At the time of writing, only a couple of ASA versions remain unpatched. However, researchers at security firm Rapid7 have determined that there are still numerous vulnerable installations.

An Internet scan conducted using the company’s Project Sonar revealed more than 50,000 Cisco ASA devices, roughly half of which were located in the United States. The list of large organizations housing at least ten such devices included a Japanese telecoms provider, technology and healthcare firms in the U.S., government and financial services organizations in the U.K., a Swedish technology services company, a Brazilian telecoms provider, a Canadian university, and various types of global services providers.

Since in many countries it’s illegal to conduct Internet scans involving login attempts, Rapid7 has tried to determine the number of unpatched devices using hping, a command-line TCP/IP packet analyzer. The tool allowed experts to determine how many of the devices had been rebooted – likely due to the installation of the patches – since Cisco started releasing security updates for its ASA software.

Of the total of 50,000 devices, roughly 12,000 could not be analyzed and approximately 15,000 had been rebooted since the ASA patches were released. This indicates that roughly 38 percent of them have likely been patched.

While the exploit found in the Shadow Brokers dump was designed to work against older versions of ASA, Silent Signal researchers demonstrated that it can be easily adapted for newer versions as well.

Advertisement. Scroll to continue reading.

Rapid7 pointed out that despite Cisco’s initial warning that all versions of the ASA software are vulnerable, many organizations using newer versions may have underestimated the risk until Silent Signal’s disclosure on August 25.

The ASA flaw, related to the Simple Network Management Protocol (SNMP) and tracked as CVE-2016-6366, can be exploited by a remote attacker to cause a device to reload and for arbitrary code execution. However, Cisco and experts have pointed out that the vulnerability is not easy to exploit as the attacker must be authenticated, likely after compromising the targeted organization’s network, and they must know the SNMP community string, a password used to restrict access to SNMP data on a device.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...