Key Takeaways
- Cisco has announced a critical vulnerability in some of its most popular products, allowing hackers to take full control of affected devices
- There are no patches available at this time, and the solution is to wipe and rebuild the affected products’ software
- The vulnerability is being exploited by hackers linked to China and other known Chinese government hacking groups
- The hacking campaign has been ongoing since at least late November 2022, and it’s unclear how many customers are affected
- The affected products include Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager, which are popular among big organizations
Introduction to the Vulnerability
On Wednesday, Cisco announced that hackers are exploiting a critical vulnerability in some of its most popular products, allowing them to take full control of affected devices. This vulnerability is particularly concerning, as there are no patches available at this time to fix the issue. According to Cisco, the hacking campaign was discovered on December 10 and is targeting Cisco AsyncOS software, specifically the physical and virtual appliances Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. The advisory noted that affected devices have a feature called "Spam Quarantine" enabled and are reachable from the internet.
Scope of the Vulnerability
The good news is that the "Spam Quarantine" feature is not enabled by default and does not need to be exposed to the internet. Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, told TechCrunch that "the requirement of an internet-facing management interface and certain features being enabled will limit the attack surface for this vulnerability." However, this may not be enough to alleviate concerns, as Kevin Beaumont, a security researcher who tracks hacking campaigns, told TechCrunch that this appears to be a particularly problematic hacking campaign. Many big organizations use the affected products, and with no patches available, it’s unclear how long the hackers had backdoors in the affected systems.
Response from Cisco
At this point, Cisco is not saying how many customers are affected by the vulnerability. When reached by TechCrunch, Cisco spokesperson Meredith Corley did not answer a series of questions, and instead said that the company "is actively investigating the issue and developing a permanent remediation." The solution Cisco is suggesting to customers right now is essentially to wipe and rebuild the affected products’ software, as there is no patch available. This is a significant step, as it requires customers to take drastic action to eradicate the threat actors’ persistence mechanism from the appliance.
Hackers Behind the Campaign
The hackers behind the campaign are linked to China and other known Chinese government hacking groups, according to Cisco Talos, the company’s threat intelligence research team. The researchers wrote that the hackers are taking advantage of the vulnerability, which is currently a zero-day, to install persistent backdoors. The campaign has been ongoing "since at least late November 2022," according to the researchers. This raises concerns about the scope and scale of the hacking campaign, as well as the potential impact on affected organizations.
Conclusion and Next Steps
The discovery of this critical vulnerability in Cisco’s products is a significant concern for organizations that rely on these products for their security. The fact that there are no patches available and the solution is to wipe and rebuild the affected products’ software is a significant challenge. Organizations should take immediate action to assess their exposure to this vulnerability and take steps to mitigate the risk. Cisco’s investigation is ongoing, and it’s likely that more information will become available in the coming days and weeks. In the meantime, organizations should remain vigilant and take a proactive approach to securing their systems and data.