満を持して IOS XE ルータのフレッツ光クロス対応を語る
https://qiita.com/hshimomu/items/ad048b515f7658783921?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #Cisco #フレッツ光クロス #IOSXE

Hey everyone! It's been a bit quiet over the last 24 hours, but we still have some critical updates to cover, including a university email system compromise, an ongoing exploitation campaign targeting Cisco devices, and a significant arrest in the cybercrime world. Let's dive in:

University of Pennsylvania Hit by Politically Motivated Email Attack ⚠️

- The University of Pennsylvania is investigating a fraudulent and offensive email sent to thousands of current and former students from a compromised Graduate School of Education (GSE) address.
- The email contained criticisms related to affirmative action and threatened a data leak, mirroring similar attacks on other universities (Columbia, NYU, UMN) following the Supreme Court's ruling on race-based admissions.
- This incident highlights how politically motivated actors are leveraging cyber means, specifically email system compromises, to push agendas and potentially exfiltrate sensitive data. Organisations should bolster email security and incident response plans.

🗞️ The Record | https://therecord.media/upenn-hacker-email-affirmative

Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability 🛡️

- The Australian Signals Directorate (ASD) has warned of persistent cyber attacks targeting unpatched Cisco IOS XE devices, exploiting the critical CVE-2023-20198 (CVSS 10.0) vulnerability.
- Attackers are deploying a new, low-equity Lua-based web shell implant called BADCANDY, which allows them to create privileged accounts and seize control. While non-persistent, threat actors are re-infecting devices after reboots if they remain unpatched.
- Defenders must immediately patch Cisco IOS XE devices, limit public exposure of the web user interface, and review configurations for any rogue privilege 15 accounts (e.g., "cisco_tac_admin") or unknown tunnel interfaces.

📰 The Hacker News | https://thehackernews.com/2025/11/asd-warns-of-ongoing-badcandy-attacks.html

Alleged 764 Leader Arrested, Faces Life in Prison 🚨

- Federal law enforcement has arrested Baron Cain Martin, the alleged leader of 764, a violent extremist group, on 29 charges including providing material support to terrorists, child exploitation, cyberstalking, and murder.
- Martin, also known as "Convict," is accused of producing and distributing a guide on how to identify, groom, and extort vulnerable children, particularly those with mental health issues.
- This significant arrest is part of a broader crackdown on 764 and "The Com" – a global collective involved in financially motivated, sexual, and violent cybercrimes, underscoring the severe real-world impact of online criminal enterprises.

🤫 CyberScoop | https://cyberscoop.com/baron-cain-martin-764-leader-arrested-charged/

#CyberSecurity #ThreatIntelligence #Vulnerability #Cisco #IOSXE #BADCANDY #CyberAttack #IncidentResponse #Cybercrime #LawEnforcement #ChildExploitation #InfoSec

🚨 Cisco issues emergency alert: A critical vulnerability (CVSS 10.0) in IOS XE Wireless Controller risks root access. Learn mitigation steps now.

#SecurityLand #CyberWatch #SecurityVulnerability #CVE #IOSXE #Cisco #WirelessController

https://www.security.land/critical-vulnerability-in-cisco-ios-xe-wireless-controller-exposes-root-privileges-what-you-need-to-know/

⚠️ Kritisk sårbarhet i Cisco IOS XE Wireless Controller – godtycklig filuppladdning möjlig. CVSS-score på 10 av 10 möjliga!

https://kryptera.se/kritisk-sarbarhet-i-cisco-ios-xe-wireless-controller-godtycklig-filuppladdning-mojlig/

#Cisco #IOSXE #CiscoWLC #CVSS10 #CVE202520188 #Sårbarhet #Informationssäkerhet #ITsäkerhet #RootAccess #RCE #JWT #HardCodedCredentials #PathTraversal #WirelessLAN #Catalyst9800 #Nätverkssäkerhet #Sårbarhetsanalys #Exploit #Cybersecurity #SecurityAdvisory

🚨 #Cisco #IOSXE #CVE-2023-20198 #CVE-2023-20273

It's been a while, exploit activity has decreased || mostly consists of Auth Bypass + simple recon.

However, we recently found a new version of the Implant 👀 No clear #attribution for now, original TA or copycat? #IoC ⬇️

Since the MO and Implant code of the original TA are widely known by now we can't tie it to them confidently.
What stands out in this case:
1. new path (84c8bc4.html) + 404 return
2. separation of the Implant delivery and C2 infra:

138.122.193[.]157📥
134.122.75[.]64📣

The commands issued during the Implant delivery stayed the same for the most part, although now the attacker calculated SHA-1 hashsums of dropped files to read back and verify their integrity.

/var/www/f099.css
/tmp/pvp_coco
/tmp/pvp_wd_run

Did anyone spot similar activity? We'd love to hear from you!

Thanks for reading today's thread 🍪

#infosec #cybersecurity #cyberdefense #blueteam

🚨 #Cisco #IOSXE #CVE-2023-20198 #CVE-2023-20273

TAs are wrecking our weekend, again 🙃

We managed to capture more activity and V3 of the Lua Implant, adding another HTTP Header and disrupting fingerprinting, again.

#cybersecurity #infosec #cyberdefense #blueteam

🚨 #Cisco #IOSXE #CVE-2023-20198 #CVE-2023-20273

We updated our #IoC for exploit attempts that hit our honeypot. You can find them on #GitHub: https://github.com/SIFalcon/research/blob/main/CVE-2023-20198/ioc.txt

Based on modus operandi and infrastructure we managed to cluster certain attacking hosts togehter ⬇️

We also saw new traffic to the Implant, this time from 107.175.229[.]142, again via the user "cisco_support". Executed recon commands include:

show ip interface brief
show ip dns view
show ip name-servers

#infosec #cybersecurity #cyberdefense

#Verpasstodon

Cisco IOS XE und die verschwundenen Hintertüren

Die Anzahl der offensichtlich kompromittierten Geräte ist auch in Deutschland schlagartig gefallen, was wohl kaum an den gerade erschienenen Patches liegt.

https://www.heise.de/news/Cisco-IOS-XE-und-die-verschwundenen-Hintertueren-9341205.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege

#Cisco #IOSXE #Security

🚨 #Cisco #IOSXE #CVE-2023-20198 #CVE-2023-20273

Patience is a virtue 🙂

We can confirm: New activity from IP 192.3.101[.]111 today. Our HPs 🍯 show exploit attempts on clean appl. + Implant usage e.g. "show ver" for recon.

Happy to share PCAPs, TLP:💛 ➡️ DM.
cc @ET_Labs

#cybersecurity #infosec