BTS #61 - Red November, Cisco Vulnerabilities, and Supply Chain Security
In this episode of Below the Surface, the hosts discuss various cybersecurity topics, including the Red November campaign targeting network edge devices, the implications of the Cisco SNMP vulnerability, and the recent vulnerabilities associated with Cisco ASA devices. They also delve into the hybrid Petya ransomware and its connection to supply chain security, emphasizing the need for better visibility and security measures in network devices.
Subscribe
Transcript
Paul Asadoorian (00:42.732): OK, we’re good. All right, let’s do it. This week, red November, Cisco SNMP vulnerability, the I told you so moment for Cisco ASAs, and a little more on hybrid Petya. Stay tuned, below the surface, coming up next. Welcome to Below the Surface. It’s episode number 61 being recorded on Wednesday, October 1st. I’m Paul Ascadorian. Here with some of my coworkers, Mr. Chase Snyder is here with us. Chase, welcome. He’s on mute. There he is. I know he was. No worries. Wes Dobry is here with us. Wes, welcome.
Chase Snyder (01:20.084): Hey guys, I totally here. was waving. My body language was far from muted, but my microphone was in fact muted.
Wes Dobry (01:31.553): Bye there.
Paul Asadoorian (01:32.746): and Vlad Babkin. Welcome Vlad.
Vlad Babkin (01:35.566): Hello.
Paul Asadoorian (01:37.442): Just a quick announcement below the surface listeners can learn more about Eclypsium by visiting Eclypsium.com forward slash go. You can find the ultimate guide to supply chain security. An on demand webinar I presented called Unraveling Digital Supply Chain Threats and Risk, a paper on the relationship between ransomware and the supply chain, very relevant now, and a customer case study with Digital Ocean. If you’re interested in seeing the product in action, you can sign up for a demo. All that on Eclypsium. com forward slash go. We have a lot to talk about that in the past week, a lot has transpired that hits our world of what kind of what I frame like living outside the operating system, although we do stuff tied to the operating system, but a lot of it is attackers learning how and implementing these methods, some of which are tried and true to live outside the OS. And by outside the OS, I also mean Like outside of that Windows environment attacking appliances, I guess a good place to start is Red November, which is the one I am least familiar with in this topic list. But Chase, believe you did a little more research into the Red November campaign.
Chase Snyder (02:50.602): Yeah, buddy. Yeah, that was a huge attack campaign disclosed by Recorded Future’s insect group, notable for its targeting of network edge devices. So ongoing trend of increased targeting of network edge stuff like routers, switches, firewalls, et cetera. And something else that they noted that Recorded Future noted in their write-up of this campaign, which was a rich, robust write-up, highly recommend reading what they wrote about it as well as what we we wrote about it, but they talk about how the attackers are using pretty widely accessible open source tools and very proactively targeting newly disclosed vulnerabilities in network edge devices. I don’t know if they’re actually targeting these exact Cisco ASA devices that we’re gonna talk about that CISA issued an emergency directive around, but their sort of mode of operation is that they’ll, they use open source droppers, various open source tools. but then they’ll use new vulnerabilities very quickly after they get disclosed. a sort of speculation that I agree with that the insect group said about it is that this is concerning because it lowers the barrier of entry for less sophisticated attackers to use this exact type of approach to new vulnerabilities, but it’s open source tooling, and it just makes it a little bit easier for someone who’s not necessarily know what advanced APT group to do this exact same type of targeting. they are the red november campaign which i think is associated with arcane door from a couple years ago this big name is
Paul Asadoorian (04:33.858): Yeah, that one that one was associated with the ASA stuff as well.
Chase Snyder (04:37.832): Yeah. And they’re targeting government organizations, technology companies, defense. So it has the hallmarks of an, of an APT group, but the techniques that they’re using would be easily replicable by just like your sort of basic ransomware squad as well. So as they sing sort of glide down this path towards just commoditization of these advanced attack groups, more and more organizations that might not see themselves as a target for APTs. still need to be concerned.
Paul Asadoorian (05:09.338): I think one of the trends that I find interesting is like I remember years ago, I’ve talked about some of the show like Mike Lynn’s presentation from a black hat long ago. And I even think I interviewed was it FX from the Fenolet group, the people who were kind of pioneering early exploits for Cisco iOS, right? Because it was we knew it was out there. A lot of us were trained on Cisco iOS and that had networking backgrounds that came into security. or vice versa, it was this kind of esoteric thing because iOS, while based largely on a lot of open source that we can speculate, BSD has always been the speculation, as there’s clear indicators of that, but it’s different hardware, it’s a different operating system, and the exploits and vulnerabilities for it were sometimes pretty esoteric and not widely used or studied. That has completely changed. I think one thing that has changed is the introduction of Linux into these ecosystems that I believe both the ASA platform and iOS XE platforms are using Linux underneath the covers. So now you don’t need as much esoteric skills and research. It’s Linux. And like, well, Linux is open source, well documented and… There’s tons of, as you said, open source tools. Like we saw the Jmagic backdoor. Like, if it’s Linux, I can just take tools, all these attack tools from history that work on Linux, and now I can apply them to enterprise networks using enterprise appliances. How awesome is that for attackers? But very, very bad for us.
Chase Snyder (06:52.456): Yeah, this premise that there’s hidden firmware or whatever inside of these network appliances. It’s like inside a network appliance, I feel like the line between what’s firmware and software gets kind of blurred because they fundamentally just have a regular open source operating system. But because it’s not a user facing like a Windows, it’s of like the firmware, it’s firmware. And so people are not think about it. They’re not as worried about it.
Paul Asadoorian (07:06.541): Yeah.
Vlad Babkin (07:09.559): name.
Paul Asadoorian (07:13.593): Yeah.
Chase Snyder (07:19.208): the companies, know, Cisco Palo Alto that produce these things are not giving you that level of access you would normally have to something with an operating system like that. And so it’s this sort of, there’s a lesser level of awareness of the vulnerabilities that are in there, but that is clearly changing at least for attackers and hopefully for defenders as well. Westar, I think you are about to dive in.
Paul Asadoorian (07:42.905): Yeah, I think it’s.
Wes Dobry (07:43.273): Oh no, you’re good, you’re good. No, it’s same concept as as these things become more pervasive and leverage industry standard tooling like Linux, for example, and the embedded toolkits that are used for building those images, you end up in scenarios where a lot of times these manufacturers are just simply using security by obscurity, you know, doing a reduced shell and ultimately trying to put us in a little black box so that we don’t get our tools on it and can’t inspect these devices. But you know when these groups like Red November are just using standard open source frameworks and back doors like they were using I don’t know how to say a Panagana and Cobalt Strike as their C2 frameworks and using Spark Rat as an open source available back door and you know this just emphasizes that point that as things become more commonplace and similar under the covers
Paul Asadoorian (08:25.402): Mm-hmm.
Vlad Babkin (08:32.448): Yes.
Wes Dobry (08:40.423): the same kind of attack vectors are opening up more and more opportunities for these groups to go after more and more devices. You know, it’s interesting in the findings from Recorded Future that this group’s targeted VPNs, firewalls, load balancers, virtualization, and email servers, all perimeter devices.
Paul Asadoorian (09:01.068): Yeah, and there’s no EDR in all those devices to swallow up your payload, so I can pick whatever payload I want. Vlad, sorry, go ahead.
Vlad Babkin (09:01.388): What?
Vlad Babkin (09:07.479): Yeah, what I find hilarious is that just how much Linux we have on those devices and how little visibility we have in the operating system. Like, imagine that you got a web server, you install some software on it, and you cannot even get an administrator to look at it ever. Like, your company just, hey, let’s just install a couple of servers and let’s just forget about them for many years to come without any maintenance. And this is just ridiculous. Like, first of all, Why are corporations not even afraid of it considering just how much people are investing in cloud ETR? Considering just how important those devices is just absurd. Like you need to invest. But the other part is how persistent are vendors in saying that you don’t need the taxes? Like you need the taxes absolutely, but no, we will keep giving you unlimited shells and we will keep pushing you around. Like something got to give at one point. Like at some point somebody has to know, stop their foods, like maybe CISA, maybe like, I don’t know, and say that all of the devices which have Linux underneath need to provide a full shell to administrators somehow. So that like there is at least some room for like, you know, threat detection in case it happens. Because like the most absurd part is that, hey, so there is this nice little campaign, how do you detect it? You don’t. There might be no detection tools or zonal detection tools as literally taking the device apart and doing full forensic analysis, which is just not a thing if you have all fleet of them. Like if you have one, sure you can disassemble it, but if you have a couple thousand of them, you aren’t going to disassemble them and do forensic on each one to do basic threat detection.
Paul Asadoorian (10:46.714): Well, also, you know, using some of the devices, I think it was in the ASA campaigns that were targeting the Cisco ASA devices, it uses Grub under the covers. And, you know, to our point, the end user, we don’t have visibility, great visibility to get in and, oh, is it Grub? Which version of Grub is it? How is it configured? This is a known piece of software. It’s open source. Vulnerabilities have been well documented. In fact, some have been discovered by our own research team. But so attackers can benefit from that, go, it’s Grub. I can use tons of off the shelf tools in all of this previous research and it’s open source. So I can go look at the source. I can go find vulnerabilities. I can discover and learn all about it. But we as the end user, we’re like, I don’t know what is under the covers of this box that I bought from this vendor because I have no visibility. And so like the tables have been turned. greatly and I think this is a trend that we’re seeing where we’re stepping the attackers are stepping outside of the Windows environment like we like to say outside the operating system. It doesn’t quite capture it right? I think the there’s been a shift into not starting off by attacking Windows. The the foothold now is with these perimeter edge devices that are then used to pivot into the Windows environment. This is providing attackers. a network foothold, a beachhead as some would say, if you will. It gives them access to sometimes credentials. If it’s a VPN appliance, it gives them access to the network where they can pivot from to be coming from inside the network, not outside. And again, their payloads aren’t getting swallowed up by EDR on these devices because there is no EDR on these devices. I think back in the day when I did pen tests, it may have found a bunch of network edge devices, but It was much easier for me to go, I can just send a PDF in a phishing email to a user. They’ll click on it. My payload will execute. And if it doesn’t execute, I can continue to social engineer the user to go try this version of the document. And then it’s successful. And now I’m on a desktop and EDR isn’t working very well. This was, this is actually a true story from probably 15 years ago of my own penetration test that I did for a client when I was doing that.
Paul Asadoorian (13:13.986): Then I was in, then I could pivot from there. I didn’t need to go find a Cisco iOS exploit, right? That was almost too much work. But now, again, I think the tables have turned. Our Windows environments are so well protected. E-mail phishing has a million different vendors that are trying to solve that problem. And so now attackers are like, well, okay, we’ll float the script. We’ll go after whatever the lowest hanging, again, another cliche, right? The lowest hanging fruit is, and that’s these network edge devices. The number of vulnerabilities that we’ve covered even just on this show is staggering. Staggering. And it speaks to all the things of poor code quality and perhaps also the introduction of AI to assist in the reverse engineering in creation of exploits and payloads for these devices. I tell you what, I’ve had great luck with Claude on the command line, not for coding. I’ve used it for that.
Vlad Babkin (13:50.038): And it’s a…
Paul Asadoorian (14:12.826): It’s actually really good at Python coding. But I’ve also used it to go, hey, here’s this malware. Here’s this firmware. Just go tell me about it. It saves me so much work. I’m not saying it’s going to go find a zero day just by me giving it a couple of prompts. Maybe we’ll get there someday. But today, it’s enabling both attackers and defenders to learn about some of these platforms that would have taken us a much longer time before, I believe.
Vlad Babkin (14:41.486): And it gets even more crazy if you think about it. Like we have all of the new requirements for compliance for software companies like, oh, hey, your Docker images should not have any single vulnerability in there from known software and so on and so forth. But we don’t even got basic SDLC for firmware. there is no, like some of the stuff we have seen in this firmware is like, you know, 1990s vulnerability. And this is all exaggeration. Like you go into a piece of firmware and you just see codes that if you would see in your actual production, it would at least trigger a few tools. That’s very baseline. Like for example, we use a whole bunch of open source and commercial SDLC tools. So we got warnings when people use some of the constructs. If I run those tools on some firmware where we actually see source code, like say it uses Python or something open source, like sorry, not compiled.
Paul Asadoorian (15:10.458): Mm-hmm.
Vlad Babkin (15:37.762): like where we can actually see the source code. And I can immediately tell that the tool will trigger on this. I know that the tool doesn’t like this specific construct of code. And like there’s just no requirement for firmwares to start doing this. there has to be. Paul Asadoorian (15:51.62) Right.
Paul Asadoorian (15:56.653): I agree, I agree. know, traditional architecture and older vulnerabilities definitely is a segue into the Cisco SNMP vulnerability. So when I talk about penetration testing, and even just like my early days of learning, networking and security, SNMP is like one of the first modules that you learn in cybersecurity, or at least like it used to be when I was taking classes and learning cybersecurity.
Vlad Babkin (16:06.908): yeah.
Paul Asadoorian (16:27.108): It was like, SNMP. And it was kind of like a starting point as you were first learning about network security and how to break into networks or evaluate the security, SNMP was, that was a great tool because most people left the community string as public. They left SNMP exposed. They were using it for management. It was poorly configured. And it’s a protocol that as an attacker can be extremely useful for gaining control of a device or at least learning about a device and giving you information for that next step. And here we are 30 plus years later and there is a remotely exploitable vulnerability in SNMP. What threw me through a loop on this one, and I think I kind of struggled to like put this in words in written articles, is when I first started reading about the vulnerabilities and they stated that it required user level privilege or some type of privilege. But if you dig a little deeper, that privilege could just be that you as an attacker know the SNMP community string, which could be set to the default of public. And if you want a better one, it could be private, right? If you remember your SNMP. And so I’m like, they’re calling that authentication. I’m like, well, that’s kind of interesting because It’s not traditionally how I think of authentication, but that’s enough authentication to then be able to exploit the vulnerability. So since it requires authentication, the CVSS score is naturally going to be lower. So this is a 6.1. I forget the exact CVE number, but we have a blog post. We’re working on the publish on this specific issue. And it gets a lower CVSS score. it should be much higher. This is being exploited in the wild. This is how we learned about it was from Cisco themselves. They state in the Cisco advisory that was from a Cisco TAC case that they learned that this was a vulnerability and that it was being exploited. However, to my knowledge, that is all that Cisco has published about this specific vulnerability.
Wes Dobry (18:48.419): Yeah, so they did up it to a CVSS 7.7 on Monday. So it did go up. And I think that’s also because they added the, if you have admin or higher level privileges, it can now also be an RCE remote code execution.
Paul Asadoorian (18:53.619): okay.
Paul Asadoorian (19:05.998): Right, right. But you can sometimes use that initial access to get the admin privileges. Also, we’ve seen threat actors being able to sniff off the network the TACACS communications, and you can get the clear tax administrator privileges. know, credential reuse and credential misuse happens at this network level as well. It’s been observed in the wild, which is crazy, crazy.
Wes Dobry (19:37.143): Yeah, I mean, the key thing here is that anyone that’s still using public as their community string, even if it’s read only, that with this volume could be used as a denial of service against that device. And that sheer effect there is, you know, anyone that’s running Cisco equipment, you could potentially have somebody inside the network that starts taking switches down. I mean, that’s a bit of a concern for…
Paul Asadoorian (19:59.919): Yep. Yep. Paul Asadoorian (20:04.12) Yeah, but you know, also concerning Wes, in all that, like, we talk about BMCs being on the internet, but you’ve got a Cisco device with SNMP exposed to the internet. Apparently there’s two million of those. That’s bad. If I’m the network security person at this organization, I mean, I was, and I made sure that we did not expose SNMP to the public internet. That would be bad. But apparently, Today, two million devices are out there where it’s exposed to the internet. Why? That’s crazy.
Wes Dobry (20:39.778): You know, we ask that question a lot of, you know, we see things like management interfaces and stuff exposed to the internet and we go, well, this is base level stuff, foundational things. Why are organizations not identifying these things? And you hit the nail on the head there. If there’s 2 million Cisco iOS devices, I’d have one question is, I wonder how many of them are honeypots for first off. And then two, you know, the other ones that are not honeypots, how long those devices have already been compromised.
Paul Asadoorian (21:00.856): Yeah. Paul Asadoorian (21:07.48) Right, right. And what’s interesting is that since SNMP is a UDP based protocol, you can easily spoof and send some packets over, right? If you don’t care about the responses, you can just, you can spoof and send some packets over, right? And that makes it easier for attackers. It’s great for them, bad for us.
Wes Dobry (21:31.156): And scalable. mean, if you’re doing UDP, mean, even something as simple as Mass Scan could probably send out a billion packets a second on that and start taking down all sorts of other fun stuff and that kind of an attack.
Paul Asadoorian (21:44.507): Correct. Now it’s interesting that, so I was listening to the Three Buddy podcast and I thought Juan had an interesting theory here that I had not considered. And that is because Cisco, so a lot of this activity is tied to Chinese based threat actors. No one wants to really come out and definitively say that Arcane Door or this SNMP vulnerability was exploited by Chinese threat actors, though highly likely. that it is. If you read some of Cisco’s documentation, it kind of backs up Juan’s theory. In Cisco’s documentation, they don’t really point, they don’t say Chinese-based threat actors ever in their advisories that I could find. And Juan’s theory was, well, since Cisco is such a big customer of China, they don’t want to start pointing fingers at Chinese threat actors. They just want to come out and say, yeah, we found this. You should just go fix it. And like, don’t worry about the tie to Chinese-based threat actors, which is Interesting because we didn’t in the system Cisco SNMP vulnerability. They didn’t come out and give us any details. There’s no IOCs There’s no references to any threats or malware that they discovered but you discovered it as part of a tact case and Knew that this was a new vulnerability in knew someone was exploiting it So it’s highly likely that we can speculate that you have more details to share about this Maybe you’re not maybe it’s an ongoing active investigation, but even still give the rest of us something to act on. And they have it. And that’s just, it’s a theory. I’m not pointing fingers at Cisco. not saying that’s true. I think it’s an interesting theory. Chase Snyder (23:23.06) Something that is not at all theoretical though is the overall growth of targeting of network edge devices. Like we’re, we’re positing this as a trend, but that’s not just like us because of our observations. The 2025 Verizon data breach investigation report showed an 8x increase in network edge devices being targeted for initial intrusion specifically.
Paul Asadoorian (23:31.726): Yeah.
Chase Snyder (23:50.826): And I think it was a 34 % of the attacks that they included in that analysis had vulnerability exploitation. So there’s two, two trends happening, increased vulnerability exploitation while credential abuse decreases. So we’ve been heavily focused on defending against credential abuse, you know, by, you know, attackers don’t break in, they log in, right? Not really the case anymore or, or rapidly changing where attackers
Paul Asadoorian (24:17.178): Mm.
Chase Snyder (24:20.744): will in fact break in because we’ve presumably gotten good enough at protecting credentials, MFA, various mechanisms, privilege access management, various mechanisms to make that harder to do. And so they’re using vulnerabilities. And as the Red November research speculated, they’re targeting newly disclosed vulnerabilities, but they’re also using these older tools. And it’s just easier to do. Seems like it’s just easier to do, to break in instead of log in now. And I would anticipate that we’ll see more and more both vulnerability exploitation and targeting of network edge devices. Actually, the Mandiant M-Trends report also showed a similar stat, where a large percentage of the total number of attacks that they had been called in as incident responders for used vulnerability exploitation as an initial intrusion vector and
Paul Asadoorian (25:01.177): Mm-hmm.
Chase Snyder (25:17.034): Interesting component of that one was that 21 % of the ransomware attacks that they investigated or responded to had vulnerability exploitation with social access effector. So it’s not strictly social engineering. It’s not strictly stolen credentials. It’s like vulnerability exploits as the sort of first entry point is a non-trivial amount of ransomware attacks too. And ransomware, obviously a huge concern for every type of organization. Probably the biggest thing any given company would say that they’re worried about in the cyber realm. And it’s clear that paying attention to vulnerabilities and vulnerabilities in network edge devices is going to have to be an increasing part of their focus in cybersecurity to shore up their posture against those kinds of attacks that they’re concerned about.
Paul Asadoorian (25:55.258): Mm. Paul Asadoorian (26:11.96) Yeah, it harps on my soapbox of how organizations largely, because these campaigns have been so successful, maybe aren’t paying enough attention to their external attack surface as we want to use to. I feel like we maybe we lost sight of that because attacker trends shifted, right? It was a huge trend like early on where you would scan a network remotely as an attacker. You would log in and break into things remotely and have great success. And then as we got more firewalls and awareness of our network perimeter, attackers said, well, that’s great. Now I’m just going to fish your users and email them and I’m to get around all of your defenses that way. And I feel like we’re the pendulum kind of swung in a different direction now where we have to pay attention to our network edge. And there’s so many, I think pretty basic ways to do this. You can subscribe to show Dan, put your IP addresses in there. and get a report. To me, that’s the easiest way. That’s not a heavy lift at all. I don’t even think it’s that expensive, especially when you look at an enterprise security budget and how important this activity is to subscribe to a service like this. You could do attack surface monitoring and management vendors as well. You could use something like RunZero. You could deploy RN’s products and have it do scanning from the outside as well. So there’s just so many ways to
Vlad Babkin (27:24.752): you
Paul Asadoorian (27:40.577): understand what your network perimeter looks like from the outside, then you have to act upon those results. And it shouldn’t be that hard to act on those results, because it should be a somewhat limited subset of what’s exposed to the internet. But that’s the highest priority, because it’s already on the internet, making sure seeing what’s exposed what you have, and then determining if there’s vulnerabilities in it. And I just do it. Why are we doing this? I’m confused.
Wes Dobry (28:06.687): So a big plug for CISA’s cyber hygiene services here. So free of charge if you host any services on the internet. And this is for businesses, they don’t do this for personal at this point. But CISA will do public facing IP ranges and scan them and let you know about any of the known exploited vulnerabilities or any risks that are associated to it. So great tool, great resources again. Vlad Babkin (28:07.31) get
Paul Asadoorian (28:11.642): Mmm. Wes Dobry (28:34.36) Cyber Hygiene Services from CISA.
Paul Asadoorian (28:37.818): That’s amazing. No excuses.
Vlad Babkin (28:38.234): There is also another point, like squishy on the inside is dead as a concept. You cannot rely on your network edge to protect you. That’s it. In the past you could. Now, yeah, those same devices get targeted, but let’s say we live 20 years in the future and that problem got somehow solved. We forced the vendors to do some cyber-psychic hygiene, we keep vulnerabilities, they rewrite some stuff. Okay, let’s say 20 years have passed.
Paul Asadoorian (28:45.017): Mm-hmm. Vlad Babkin (29:07.96) It still applies. Like it’s not like something new, like users get phished and attacks are advanced. Like imagine somebody who is actually running on the user instead of scanning your network and triggering all of your security tools. If they’re already running on that user, they will read his email, find some pieces of network infrastructure where they can just avoid scanning. They will probably get some credentials to that and hey, I’m getting into your network. So you have to use password managers for all of the users and never share passwords for anything that’s even remotely important to attackers. And that’s already the basic part, right? Then there are many ways to get on the inside of the edge devices as compared to what there was in the past. Consider all of the road warriors, especially with COVID, just running around with the PN connections going past your edge router. Like even that.
Paul Asadoorian (29:59.663): Yeah, I’m a big fan of not just moving the problem around, right? When we’ve had conversations in the past 20 years about network segmentation, firewalls, even web application firewalls, I come back to this point of those are great. It’s great to have those in your architecture and they do provide some value. However, you have to fix the actual issues and you can’t just move those issues around. Like, what are we gonna do about legacy? systems that we can’t patch, or we’ll just move it somewhere else. I’m like, at some point, you have to address those issues. You can’t just move them around and feel like your work and security is done. You have to, to your point, Vlad, address those issues and fix the actual problems or provide some other remediation or compensating control for those issues other than just moving it into a spot that’s harder to get to.
Vlad Babkin (30:55.136): And even worse, there are no compensating controls for some of them. Like if you have an skill injection, you have an skill injection until you go and patch that skill injection. Your vaf can help, like web application firewall to your point will help with that, it will make it harder. But somebody with enough persistence and intent to break in, they will break it in a day. So that compensating control only gives you more time and gives you a chance to detect exploitation. That’s it. It’s not preventing it.
Paul Asadoorian (30:58.852): Mm-hmm.
Paul Asadoorian (31:03.932): Right, right. Paul Asadoorian (31:19.0) Right.
Paul Asadoorian (31:25.498): The, um, I told you so moment of Cisco ASA is, very interesting to me. Um, and it’s not just my, told you so moment, you know, gray noise, um, made a post several weeks ago, indicating that it was an uptick in scanning for Cisco ASA devices. We published an article where I looked at the, was like not just in September. It was like the same, if you go in the gray noise data, there was the same spike in October and I’m like, It looks like these attackers are just like once a month going out and inventorying every Cisco ASA and FTD device on the internet. FTD is their firepower threat defense. We share similar architecture as I’m learning to ASA. And we all looked at them and we’re like, well, this is indicative of something. Like something bad is probably gonna happen. I’m like, also, you know, now we’re talking about end of life devices. When these devices are end of life, which ones are end of life, when… Some of them are turning end of life next year. This is kind of like a perfect storm. Then we get the report that there three new CVEs and lo and behold, threat actors that I think they tied this back to Arcane Door. This all ties back to Arcane Door. And these vulnerabilities have now been disclosed. They were being exploited by the Arcane Door threat actors that were used to install malware. The first one was Ray Initiator, which is a boot kit for Linux, essentially. I mean, it was deployed to ASA devices, but it’s a Linux boot kit that takes advantage of Grub that loads code in the early stages in the bootloader before the OS kernel was loaded. I’m like, well, we’ve heard this story before. Like, that’s really bad. And then Line Viper is the user mode. I believe it’s a user mode malware. It gives all the attackers all sorts of capabilities. They can look at what’s being typed in in the command line. They can steal credentials. They can execute commands. They can remove log messages. It’s your standard kind malware root kit for Linux or other style devices. And this is being exploited in the wild, happening now.
Paul Asadoorian (33:46.265): The NCSC is the one that made the report. I linked to that in some of our materials and communications. If you have it, just Google for NCSC, Cisco ASA, and you’ll find that there’s a PDF report. It’s like 12 or 17 pages or something that details everything about Ray Initiator and Lined Viper, including several IOCs, YARA rules, believe, hashes, the whole shebang. is in there. so it’s interesting we got that for the ASA vulnerabilities but not the SNMP ones first and foremost. Secondly, is, mean, the malware I looked at, I was like, this pretty capable malware. Some articles even suggested, I think they said it was like a multiple iterations of this malware. This is just like the latest iteration of it that they’ve been, know, similar strains have been propagated previously, but this is like even more advanced and polished. than ever before.
Wes Dobry (34:49.635): Yeah, one of the things that stands out to me on going back to the ASA scanning stuff that was occurring is just the sheer fact of the age of these vulnerabilities that they’re scanning for. I mean, some of these CVEs go back 11 years, 2014. And I mean, that is unbelievable that there’s still enough of an attack surface out there that they’re looking for devices that are just that old, that easily compromised.
Paul Asadoorian (35:01.754): Mm-hmm.
Wes Dobry (35:18.043): You know, I think of it from an amount of effort and time and money spent on building the infrastructure to scan at this scale. And to be scanning for CVEs that are that old, that are still actively exploited, obviously still have to have some rate of success too. And that to me is just insane to think about.
Paul Asadoorian (35:38.584): Yeah, because well people are hanging their ASA devices out there largely because there’s a web VPN component and they have to be on the internet. Now attackers are praying on like, well, you have to put this on the internet to provide that service and you’re not keeping them up to date and ASA’s are going into life and we can scan the internet super fast now and this is a great way into an organization and it’s just the perfect storm for this behavior and lo and behold, look what happened, right? New vulnerabilities were discovered.
Vlad Babkin (35:39.085): It’s…
Paul Asadoorian (36:07.891): And I would say fairly sophisticated malware was deployed to these devices.
Chase Snyder (36:14.258): It strikes me that a foundational tenet of cybersecurity is to know what you have, right? Asset inventory, knowing what you have in your environment is really critical to being able to protect it. And it seems like that’s also kind of a critical foundational element for cyber attackers too, for them to know what you have in your environment, which is increasingly possible. Like you said, with the speed of scanning and the amount of stuff. the shift towards targeting devices that have to be on the internet to some degree, these VPN boxes and stuff. It feels like the attacker paradigm of targeting endpoints and laptops and stuff is kind of just a hangover from the early days of cyber attacks where was like, know, ransomware is going after individuals computers for nickels and dimes and whatever. And so that was that was like a habit that got built up that Someone figured out now that we’re going after these big businesses. They have this other stuff That’s easier to break into they can’t take it offline for it to do its job Has all this broad access and so there’s this Accelerating attack paradigm shift that is not Being well met yet in the defender space. I think it will I have I have big faith in the defense the defender community
Paul Asadoorian (37:22.723): Right. Chase Snyder (37:39.69) And their ability to rise up and adapt but it’s unfortunate that the overall technology landscape that’s been developed for cybersecurity over the past decade Just hasn’t been focused on that. It’s been focused on preventing the credential abuse It’s been focused on on the endpoints and that’s something that makes me extremely bullish on Eclipse. ium is that we are targeting We’re helping you protect the things that the attackers are going after now those network edge devices and that firmware we’re level and I feel like we’re ahead of the Vlad Babkin (37:48.4) It’s
Vlad Babkin (38:03.779): Yep.
Chase Snyder (38:08.522): We’re ahead of the game a little bit on that but the industry is really going to need to catch up based on the acceleration of the attacker behavior trend that we’re talking about
Paul Asadoorian (38:13.751): Mm-hmm.
Vlad Babkin (38:14.832): Mm-hmm.
Vlad Babkin (38:18.616): Yeah, we’re everything we can to actually scan those devices, even though vendors are sometimes actively interfering with that. As we have said before, time and time again, in this conversation alone as well, there are not a lot of stuff you can do with some of the network devices. Like, you don’t get as much access as attackers do through exploits. So there’s a good question of what to do about it. Like, sometimes you actually have to exploit the device to actually get visibility to check if it was exploited by somebody bad. It’s completely insane.
Paul Asadoorian (38:48.665): Isn’t that crazy? Like I was just thinking, we cover the Rapid7 researcher that discovered the vulnerability where you could upload vulnerable applications. I forget what they’re called in the ASA. There’s a whole piece of research from Rapid7 that dates back years. It’s in my blog post that allows you to upload malicious applications. Like, well, if you’re a cybersecurity vendor, you could actually leverage that to give people visibility. But… You’d also leave that door open for attackers as well. There’s been so many instances, especially since I started here at Eclipseum, where I was like, really want to get visibility into this device. And I’m like, well, we could do that if we exploited a vulnerability on it. I’m like, but that’s so backwards. That’s what we’re trying to prevent. It’s crazy.
Wes Dobry (39:40.493): Yep, security by obscurity still.
Paul Asadoorian (39:43.245): Mm-hmm. Yeah, the ASA is an interesting, the malware is a good read. It’s an interesting platform. Certainly making sure you’re up to date on patches is appropriate, but gaining that visibility, I think is still hard on ASA. Although we have some, I mean, not to make it a product pitch, right? But we do support the platform for firmware integrity. And that’s what I was trying to promote, right? But even at that, like it’s too late. And this is kind of what keeps me up at night. We as a clip, we give you great access. We can tell you, hey, you’ve got this malware, this threat, it’s on that device, and your firmware integrity has failed, that’s bad. But it’s after the fact. It’s too late. Because there’s nothing, what normally we would do is put some kind of EDR or anti-malware or something for prevention on these devices, but we can’t. And now we’re just stuck going, yep. I was compromised. I got popped. Oops.
Chase Snyder (40:46.674): Yeah. And what, mean, I don’t want to dump on Cisco too much. They’re huge. They’re widely distributed. It’s hard. It’s a hard problem, but what they released in the immediate aftermath of the disclosure and the CISA emergency directive around those two ASA vulnerabilities, they put out some, some scripts to help folks detect the compromise and help collect some forensic data. And I mean,
Vlad Babkin (41:08.497): Mm-hmm. Chase Snyder (41:12.37) I don’t think anybody would say that that’s anything more than a bandaid. Like that’s to use those scripts at enterprise scale. Like people do not necessarily have the bandwidth to do that in all the organizations that are running these Cisco ASA things. Like there wouldn’t be, there wouldn’t be end of life Cisco ASA devices in these organizations if they had like super short of bandwidth and teams that could be, you know, out here running scripts to do this kind of stuff. it’s. Yeah, like you said, the visibility and the tooling to be able to proactively address this kind of thing is not there for most organizations. doing after the script to address it is indicative of the sort of gap that is growing between attacker capabilities and behavior and the Defender toolkit.
Paul Asadoorian (42:02.265): Yeah.
Vlad Babkin (42:03.184): By the way, Eclipseum is going to release tools with our network devices scanner to actually scan that. I don’t know exactly when, but we are mostly waiting on internal process to actually pass all of the validations and whatnot to make sure we don’t break anything.
Chase Snyder (42:19.454): Do we need a Thave Harbor statement about future looking statements here for that? We always try to do this. No enormous promises, but I believe Vlad. It’s what we’re good at. We’re doing what we’re good at.
Paul Asadoorian (42:23.328): Mm-hmm Vlad Babkin (42:23.46) Yeah.
Vlad Babkin (42:29.454): Yeah. So does that.
Paul Asadoorian (42:31.019): Well, often what comes from the vendor in terms of protection for their own equipment and software is highly focused and somewhat limited. What I’ve observed in a general sense is that they’ll say, well, use this software or the script to go find this thing that’s happening. It’s often really just like a hash comparison. It’s very targeted. It’s like if you have this exact compromise in these TTPs will find it but if there’s even a slight variation off of that the vendor tools are not going to find it. However, I should have added this article but Avanti has released some more advanced protections and I want to say with something like memory protections for their devices. I’ve not evaluated that I don’t know how well it works or how effective it is but Obviously Avanti has been under attack and scrutiny for a couple of years now. And so it’s not shocking that they’re like, we’re improving our product to be more resilient. So I guess I’m actually saying something positive about Avanti is that, again, I don’t know the effectiveness of it, but they’re trying to go, hey, we’re gonna make releases and updates to our software to make it more resilient. And I’d love to see that as a trend. Cause I think the reason why attackers are going after it is because it’s such a ripe attack surface. There’s nothing there that’s really even slowing attackers down. And so to have Avanti hopefully set a trend to go, we got to make our products more resilient. We can’t fix all the code overnight, but what can we do? Right? Can we do memory protections? Can we implement all of the other security controls that we talk about secure boot? things inside the Linux kernel for security. There’s a lot we could do a five hour podcast on everything in the Linux kernel that’s available for both monitoring and prevention of exploits and or threats on Linux system. So.
Vlad Babkin (44:36.464): There is not much they can actually help with. The problem is a lot of the vulnerabilities are a basic web code execution bug. You post a shell, it executes a command, done. How is Linux kernel protection or memory protection or anything of the sort is going to help you with that? It just isn’t.
Paul Asadoorian (44:54.906): Yeah, it’s certainly only classes, right, it’s classes of, the vendors have to deal with the different classes of threats. Some are memory corruption, and we’ve seen that, but to your point, Vlad, some are web application vulnerabilities that are, they’re not gonna touch, you know, they’re not gonna touch memory corruption. It’s just like, you know, remote command execution. Vlad Babkin (45:08.26) Yep.
Vlad Babkin (45:17.552): Yep. A lot of the bugs we see for these devices are actually web bugs. So no matter how much you do memory corruption protection, you’re just not doing anything. It’s like a lot of work sounding cool, but which doesn’t lead to any actual results. So the only thing you can actually do is enable SDLC in your process. Literally block your releases for a few years until you freaking fix all of the bugs. That’s the only thing you can really do to actually protect from it. At the very least, at the very least, get a web application firewall on top of your administrative UI. At the very least, do this. It will be lot more efficient at blocking something.
Paul Asadoorian (45:51.737): Right. Or a solid web application architecture, but that’s difficult on these devices. I don’t remember ever seeing much in the way of solid architecture behind it. Because the web applications are so small and specially purpose-built for that device that it’s not like I have an NPM. you know, environment or some, some nice web framework that may have some protections for command injection, SQL injection thing, things like that. And I’ve got this little small thing that’s running. It’s hard to protect.
Vlad Babkin (46:15.152): tour.
Vlad Babkin (46:19.024): Tour. Sure.
Vlad Babkin (46:25.712): Not true. A lot of those little things are running Python right now. Python has, at the very least, a fast API, at the very least SQL Alchemy if you do any SQL databases, including SQLite, which you can actually see on this device. I wouldn’t be too surprised if some of them have it. At the very least, you can make user separation so you don’t run your web server’s route. Have some internal separation between what the web server can do. Like, OK, it needs to run some commands on the system.
Paul Asadoorian (46:45.188): Right.
Vlad Babkin (46:52.396): make those commands separate executables, like well-defined interfaces. You can do a good architecture for those devices despite what you said. Like sure, it’s not every device that has a lot of firepower, but I have Bonafide seen Lua running on devices that are like BMC stuff, right? It’s not a powerful device by any means. If your device is running in semi-decent language, you have some availability for tools. Even if it is C++,
Paul Asadoorian (47:19.578): So yeah, well, what you’re saying Vlad is that the frameworks that are implemented on network appliances and devices have more, have capabilities to be more resilient, but those capabilities and controls are not implemented by the vendors. Independent of code quality, these are security controls in the various frameworks.
Vlad Babkin (47:33.541): Yup. Yup. Yup. Yup. Yup. Like, instead of using a well-made from security standpoint framework, they choose something random and then they suffer. In this case, it’s like, I’m not just calling out one specific framework, there are quite a lot of frameworks which are actually security-minded. Like, Fast API is just one of the most modern and, in my opinion, really good examples of how to build a web application framework with high security.
Paul Asadoorian (48:02.692): Right, not fast CG, not to be confused, is it fast CGI that implement that’s.
Vlad Babkin (48:03.171): It hasn’t. Yeah, Fast. it. jive is just an interface. It’s not a framework. Like Fast. it. jive is just how you call binaries. So to give an example, like Fast. api, how do you make a web request? You attach a Python method and it becomes a controller. Now point is, if you type all of your variables on that method, what will happen is that it will check the type. It will just check, okay, is this integer actually an integer?
Paul Asadoorian (48:10.562): Yeah. gotcha. call binaries or right yeah
Vlad Babkin (48:37.006): And if it isn’t, it will throw an error. Suddenly, quite a few type juggling bugs just go away. Then it can have a lot of extra validations and whatnot. Sure, it will not protect you from all of the bugs. It will not save you from command injection, but it will prevent quite a few bugs related to validation. And it will make writing your validation much cheaper, by the way. So if you’re using Python in your appliance,
Paul Asadoorian (48:42.382): Right, right.
Paul Asadoorian (48:51.576): No, never do, yeah.
Paul Asadoorian (49:00.205): Right, right.
Vlad Babkin (49:04.056): There is absolutely no reason why you cannot use fast API. Like sure, if you are not using Python, you are limited with resources and you are forced to use C++. Yeah, your choices are a little bit more limited, but there is boost HTTP, which is again, decent web framework. So there is that. Paul Asadoorian (49:22.35) Yeah, I think the design decisions were made without security in mind and solely based on functionality and cost and not security because you’re right, they would have made different choices.
Vlad Babkin (49:28.078): Yeah. Yup, and that’s…
Vlad Babkin (49:36.686): Yeah, but in this case, some of it is absolutely ridiculous because some of those would cut costs. It’s much easier to write a modern, simple API in something like fast API as compared to trying to make your own entire architecture in Python. Again, simply because this is a ready-made framework for you. You don’t have to think about quite a few things.
Paul Asadoorian (49:42.052): Mm-hmm.
Paul Asadoorian (49:58.203): I want to talk a little more about hybrid Petya because we released a blog post on that and I think it deserves more of a mention, especially now that I’ve dug into some of the details because what is the phrase that Mickey hates? I think I said it’s a supply chain security crisis. It’s going be a t-shirt. This is not just a vulnerability, it’s a supply chain security crisis and when it comes to UEFI Secure Boot and methods such as hybrid Petya and the associated CVE, that’s really what this is, right? There are tools, I forget the CVE, is it 20257344? I think it’s 2025, what’s that? 20247344 is the vulnerability in,
Wes Dobry (50:46.749): on it. Paul Asadoorian (50:57.39) boot loaders that are distributed for system recovery. And there’s several vendors that I believe shared code, I think the same code that ends up in their bootloader. And these bootloaders are signed with Secure Boot, signed with a, believe a Microsoft certificate. And the flaw is in the way that they load other code or UEFI applications. And so there’s a secure way to do that. It’s the security architecture protocol in the EDK2 specification. It basically says, hey, if you’re assigned to UEFI application and you want to call or load another portable executable or UEFI application, you should call it in this way so that that application you’re loading gets checked against the revocation list in Secure Boot. the vulnerability lies in this software that creates their own custom loader to load these executables that do not get checked against the secure boot root of trust. So the vulnerability that hybrid Petya is leveraging is actually in the original file name is reloader. efi, but they renamed that to the standard Windows Boot Manager file name. but it’s the reloader EFI which has the vulnerability. And in that code, it calls another executable called cloak. dat. And cloak. dat, since it’s not signed, there’s some other things that have to be in cloak. dat in order for reloader. efi to load it, right? It has some kind of XOR check and a couple of other things. If those things are there, it’ll load it. And then as an attacker, you can just write whatever code you want after that. And that’s the code that’s gonna get executed. And guess what the attackers did? They wrote ransomware inside of that. They loaded the bootloader, it loads the ransomware code, then no problem. Everything’s signed, secure boot’s enabled, everything’s running. And now you’ve got a boot kit that is executing ransomware due to the supply chain security crisis, essentially, that we have with secure boot. don’t wanna knock secure boot, but it’s…
Paul Asadoorian (53:20.384): It’s a reminder that these controls are only as good as the Root of Trusts in the revocation lists that enforce them. just time and time again, since Secure Boot’s introduction, we’ve seen these attacks. Now we’re seeing them, not so much in the wild. Again, HyriPetya was posted to VirusTotal. We didn’t find it live on a system, and there’s speculation as to where it came from, but that’s what’s happening here.
Wes Dobry (53:47.749): You know, it’s the age old problem again, where when you have built an industry trust system that people leverage and then it gets utilized and now you have millions of devices using something that’s trusted that is found to have a vulnerability or something in it, you can’t just simply turn it off at that point. Because if you do, you suddenly start breaking a lot of devices that are out there and then that gets to be the main story in the news, not trying to be as secure as possible.
Paul Asadoorian (54:15.736): Right.
Wes Dobry (54:18.381): And we’ve seen that across the board in almost all of these secure boot bypass vulnerabilities where it is a known thing that Microsoft or UEFI forums can’t revoke it because if they do, it would break a lot of devices out there. This is the same exact case.
Paul Asadoorian (54:36.365): Yep. And it’s very similar to Mickey and Jesse, our coworkers research one bootloader to load them all, which pointed out flaws in several bootloaders that operate very similar. The vulnerabilities are very, very similar, including signed shells. And in that research, you know, Mickey and Jesse identify that if there are certain capabilities inside of a UEFI shell, those capabilities can be used to map memory regions or remap memory regions, which can be used to bypass secure boot. And so we keep having this problem where we can undermine secure boot based on finding software out there that has been signed that contains certain, not even just vulnerabilities, but even just very similar to law drivers, contains functionality that let malicious actors bypass security controls.
Wes Dobry (55:34.917): Yeah, I mean, this is the exact same thing that we see with vulnerable drivers and Windows OS, people using those to run unsigned or dangerous code just by simply loading a device driver that’s already trusted by the Windows subsystem. It’s the same concepts, but in this case, it was finally leveraged or leveraged again, I should say, to establish this boot kit to do nefarious things before the OS even loads. Paul Asadoorian (56:03.95) Yeah, and this is, know, attackers just showing that they’re going to start doing more by living outside the operating system. We’ve talked about this for a while, and I think we’re starting to see stronger indicators that this is where attackers are going. I mean, maybe it’s because we’ve hardened Windows so much, although I still see techniques for bypassing Windows EDR and other security controls every single week. I see new techniques all the time. I’d love to have like a segment where we talk about some of those. I am not the world’s foremost expert on Windows, but these newer, and oftentimes it’s hard to decipher, is it really a newer technique? Is it a variation? Or is it something that we’ve known about and someone just took the time to write it up better? I’ve seen all three of those cases when I consult with my Windows. experts, you my friends were Windows experts, but even given that, think attackers are likely frustrated and going, just, I want to skirt around all of these defenses because it’s getting super annoying. And so we’re just going to get in inside of firmware, inside of a network device, inside of a BMC. Then we don’t have all these issues, right? So they’re finding other attack surfaces. that don’t have the security controls that Windows have, that Windows systems have. Wes Dobry (57:36.4) Yeah, I mean, there’s two games of whack-a-mole going on. One is as practitioners, we are trying to make it harder for the attackers. And then one for the attackers going, we’re going to go where it’s easier for us. And you know, hit the nail on the head there is that it’s all about applicable controls that organizations can have in place for monitoring visibility and security. And we’re in a standpoint now where that landscape is shifting away from credential stuffing and phishing and typical initial vectors of attack to low-hanging fruit, is vulnerable devices that are already hanging out on the internet. And we’re just going to see this shift around again to whatever is the name of the game to tomorrow. But the trouble is, the tools and the technologies leveraged are making it easier and faster for these threat actor organizations to do this. Leveraging AI now is… know, giving opportunities for them to do something as simple as point to a CVE and point to a compiled set of binaries and say, with this CVE, point to where in here this exploit exists or this vulnerability exists. And it’s even making it even easier to start reverse engineering this stuff.
Paul Asadoorian (58:52.994): It does. So I actually did that. So I took the hybrid Petya malware sample and I put it on a directory on my Linux system, right? On a Linux system, right? Because I’m like, this is ransomware. I’m like, but I’m not running Windows. So the ransomware is not going to execute because I don’t have an NTFS file system for it to prey upon. And I’m not running Windows as an operating system in the bootloader specific to Windows. So when I take this malware sample, use the command line Claude code, which I was kind of shocked that I was like, hey, like I put you in a directory with malware that is also ransomware, like don’t execute anything. I just want to learn about it. And Claude was like, yeah, sure, no problem. And I asked it a series of questions about the malware that built upon each other. Tell me how it works. Tell me how it loads this. Tell me how it loads that. And what are the vulnerabilities? And it answered all of my questions about it. So if I can do that, to your point Wes, attackers can do that as well and more easily come up to speed on some of these more sophisticated techniques with the aid of some type of AI.
Wes Dobry (01:00:09.678): 100 % and you know I was just thinking about it even if you’re running Linux I’m pretty certain your EFI partition is still running a version of NTFS on it so you would actually have a file table so don’t accidentally run that code my
Paul Asadoorian (01:00:20.238): It’s true.
Paul Asadoorian (01:00:24.036): Don’t do that, yeah, don’t do that. Put it in a VM, it separate, put it a different system, right? Be careful when you’re analyzing this malware. Well, sometimes malware gets smart if it’s being analyzed, right? So you have to be careful when doing that, for sure.
Chase Snyder (01:00:42.238): nothing if not careful on this podcast. Big Claude stands apparently too. also, yeah, so good. Paul Asadoorian (01:00:44.64) Yes, extremely.
Paul Asadoorian (01:00:49.466): Claude is great, I use Claude for a, just a side note, I use Claude for a Python scripting project that I had worked on kind of on and off, just creating scripts to make it easier for me to basically load SD cards with firmware and files for ESP32 devices. And I finally sat down and I used Claude and I was like, I gave it all my requirements, right? Prompted it little by little. And the code quality that it was able to produce was astonishing. I looked at it, and then I went through all the code, almost line by line, not quite, but almost line by line. And I was like, this is actually pretty good code quality that’s in there. In fact, sometimes I had to kind of scale it back. like, don’t get too fancy. Claude has a tendency to like make it like super, I don’t know, know, don’t don’t don’t don’t I I I I I I I don’t don’t And then like I would also prompt it as a tip So, know show me your plan for what you’re gonna implement and break it down into phases like three phases I want like easy medium and in more most advanced and then give me a plan what you’re gonna do and then I’m like Alright, just do phase one. Just do the stuff in phase one. Let me go test it. Let me review it Okay, maybe now go just do this one part of phase two, right? And I think great success. I mean the code is like now made some modifications, probably 95 % AI generated and has been working really good. Also, it’s a very basic task as well. It’s nothing super complicated. It’s like downloading files from the internet, parsing a JSON to download these other files and clone some Git repositories with some filtering. It was pretty basic task, but saved me a ton of time.
Paul Asadoorian (01:02:42.164): Awesome. Well, thank you gentlemen for joining the podcast today. Thank you everyone for listening and watching this edition of Below the Surface. We’ll see you next time.
