Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

• Hides certain running-config items in memory (disabled by default). When enabled, the rootkit hides specified account names, EEM scripts, and ACLs from the running configuration. Trend investigations revealed some hidden account names such as observed:

dg3y8dpk dg4y8epk dg5y8fpk dg6y8gpk dg7y8hpk 
Hidden EEM scripts: CiscoEMX-1 to CiscoEMX-5 
Hidden ACLs: EnaQWklg0, EnaQWklg1, EnaQWklg2

• Allows VTY ACL bypass (disabled by default). The cisco VTY refers to the virtual interface on a Cisco device (like a router or switch) that allows remote access via protocols such as telnet or ssh. Administrators can apply ACLs to control access to VTY lines, but if VTY is enabled, any ACL bound to it will be ignored.
• Toggles or deletes device logs. This function allows an attacker to temporarily disable log history by setting the log size to zero.
• Resets last running-config write timestamp. This is used to hide changes, so it appears the configuration was never modified.

Detection and security recommendations

Currently there is no universal automated tool that can reliably determine whether a Cisco switch has been successfully compromised by the ZeroDisco operation. If you suspect a switch is affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level investigation of firmware/ROM/boot regions.

For early detection Trend recommends utilizing Trend Cloud One™ Network Security which provides deep inspection of cloud network traffic using virtual patching, intrusion prevention (IPS), and post-compromise detection to prevent malware and zero-day attacks. It offers real-time threat intelligence, custom rule sets, behavioral analytics, and supports hybrid cloud environments, integrating with other Trend Cloud One services and Trend Vision One™ for extended detection and response (XDR). 

Trend Micro™ Deep Discovery™ can also help mitigate risk by detecting the Cisco exploit and UDP controller communication. Deep Discovery uses virtual patching and intelligent threat detection to inspect inbound and outbound network traffic for advanced threats, ransomware, and targeted attacks.

Trend Cloud One Network Security and TippingPoint Threat Protection System

• 46396 – SNMP: Cisco IOS XE Software Authframework OID Get-Request Buffer Overflow Vulnerability

Deep Discovery Rules

• 5497 – UDP_CONTROLLER_REQUEST
•  
• 5488 – SNMP_CISCO_AUTHFRAMEWORK_OID_REQUEST

Trend Vision One™ Endpoint Security Vision One Workbench

• Multiple Suspicious UDP Payload Sent Using Shell and Netcat

Proactive security with Trend Vision One™ 

Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management and security operations, delivering robust layered protection across on-premises, hybrid, and multi-cloud environments.

Trend Vision One™ Threat Intelligence 

To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights which provides the latest insights from Trend ™ Research on emerging threats and threat actors.   

Trend Vision One Threat Insights  

Trend Vision One Intelligence Reports (IOC Sweeping)

Hunting Queries  

Trend Vision One Search App  

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment. 

(ruleId: (5497 OR 5488) AND eventId:100119) OR (subRuleId: 46396 AND eventName:INTRUSION_DETECTION) AND LogType: detection

Indicators of Compromise (IoCs) 

Indicators of Compromise can be found here. 

With contributions from Joey Chen, Cisco TALOS Team

Read More HERE