Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack, Vulnerability, Ransomware, Data Leak and Breach.

Total Financial Loss: The total financial loss from these incidents is estimated to be $13.07 million.

Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with took action to contain and eradicate the bad actors, and remediation measures with patches provided to users, remediation measures with suggested updates to remediate risk, and remediation measures with patching, and containment measures with disable the out-of-band ap image download feature, and remediation measures with software updates and patches, and containment measures with network segmentation, containment measures with multi-factor authentication (mfa), containment measures with disable unnecessary services, containment measures with implement strict firewall rules, containment measures with regular auditing of administrative accounts, and remediation measures with update to the latest firmware versions, and network segmentation with isolate management interfaces from production networks, and enhanced monitoring with monitor for suspicious activities in siem systems, and containment measures with apply patch ciscocm.cscwp27755_d0247-1.cop.sha512, containment measures with upgrade to 15su3 release, and remediation measures with monitor system logs for unauthorized root access, remediation measures with examine /var/log/active/syslog/secure file for indicators of compromise, and enhanced monitoring with monitor system logs for unauthorized root access, and remediation measures with upgrade to ise 3.3 patch 7 or ise 3.4 patch 2, and containment measures with immediate patching, and remediation measures with apply patches and enhanced fixed releases, and communication strategy with public advisory and urgent calls for patching, and containment measures with apply security updates, and remediation measures with update to 3.3 patch 7 and 3.4 patch 2, and and containment measures with disable radius authentication (switch to ldap/saml/local accounts), and remediation measures with apply free software updates provided by cisco, and communication strategy with public advisory via cisco’s august 2025 semiannual security advisory bundled publication, communication strategy with urgent recommendation for immediate patching, and containment measures with urgent patching advisory issued by cisco, and remediation measures with apply software updates to affected fmc versions, remediation measures with review radius authentication configurations, and communication strategy with public security advisory released by cisco, and enhanced monitoring with recommended: monitor for unauthorized access attempts targeting fmc interfaces, and and containment measures with limiting snmp access to trusted users (temporary mitigation), and remediation measures with applying security patches for cve-2025-20352, cve-2025-20240, and cve-2025-20149, and communication strategy with public advisory via cisco psirt, communication strategy with recommendation for immediate patching, and and third party assistance with u.k. national cyber security centre (ncsc), third party assistance with canadian centre for cyber security, and containment measures with cisco patches for cve-2025-20362, cve-2025-20333, cve-2025-20363, containment measures with urgent advisories for updates, containment measures with disabling vpn web services on vulnerable devices, and remediation measures with firmware analysis to detect rayinitiator/line viper, remediation measures with replacement of end-of-support (eos) devices, remediation measures with implementation of secure boot/trust anchor on newer models, and communication strategy with public advisories by ncsc (2025-09-25), communication strategy with cisco security bulletins, communication strategy with canadian centre for cyber security alerts, and enhanced monitoring with recommended for asa/ftd devices, and and third party assistance with five eyes intelligence alliance, third party assistance with cisco internal teams, and containment measures with urgent patching of cisco asa vulnerabilities, containment measures with emergency directives (e.g., u.s. cisa's midnight deadline for federal agencies), and communication strategy with public warnings by cse (canada), cisa (u.s.), ncsc (uk), communication strategy with media statements (e.g., cbc news), communication strategy with collaboration with five eyes alliance, and enhanced monitoring with recommended (implied by urgency of patching and detection evasion concerns), and and third party assistance with cisco cybersecurity experts, and containment measures with cisa directive to identify affected devices, containment measures with data collection and threat assessment using cisa tools, and remediation measures with patching vulnerabilities (cve-2024-20353, cve-2024-20359), remediation measures with addressing cyber vulnerabilities in cisco devices, and communication strategy with public disclosure via bloomberg, communication strategy with cisa advisories, and enhanced monitoring with use of cisa cybersecurity tools for threat assessment, and incident response plan activated with cisco security advisory (2024-09-25), incident response plan activated with cisa emergency directive (24-hour patching mandate), incident response plan activated with ncsc (uk) threat report, and third party assistance with the shadowserver foundation (threat monitoring), third party assistance with greynoise (early warning scans), and containment measures with restrict vpn web interface exposure, containment measures with disconnect end-of-support (eos) asa devices, containment measures with increase logging/monitoring for suspicious vpn logins, and remediation measures with apply cisco patches for cve-2025-20333 and cve-2025-20362, remediation measures with follow cisco hardening guidelines, and communication strategy with cisco security advisories [1, 2], communication strategy with cisa emergency directive, communication strategy with ncsc threat report, and enhanced monitoring with monitor for crafted http requests, enhanced monitoring with track suspicious vpn logins, and third party assistance with fbi investigation, third party assistance with symantec (threat intelligence), third party assistance with kaspersky (decryption tool), and and remediation measures with kaspersky released free decrypter (2022), and and third party assistance with fbi, third party assistance with international law enforcement (italy), and and and containment measures with immediate software upgrade to patched versions (e.g., 2.3.7.10-va), and remediation measures with no workarounds; mandatory patching, and communication strategy with public security advisory, communication strategy with direct customer notifications via tac..

Common Attack Types: The most common types of attacks the company has faced is Vulnerability.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Personal Google Account, Amazon Web Services, Compromised personal Google account, Cisco switches, Smart Install Feature, /aparchive/upload and /ap_spec_rec/upload/, Hardcoded SSH credentials, Crafted API requests, RADIUS authentication interface in FMC, Compromised local Administrator credentials, CVE-2025-20362 and CVE-2025-20333 in Cisco ASA VPN web services, Vulnerabilities in Cisco ASA devices (legacy systems targeted), Cisco ASA/FTD vulnerabilities (CVE-2024-20353, CVE-2024-20359), Exposed VPN Web InterfacesCrafted HTTP Requests Targeting CVE-2025-20333/CVE-2025-20362, Exploited Vulnerabilities (unspecified)Potential Phishing and corporate network breaches (method unspecified).

Average Financial Loss: The average financial loss per incident is $435.57 thousand.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Cisco Products Or Services, Sensitive Customer Data, Sensitive Employee Information, Intellectual Property, Supply Chain Operations, , Non-Sensitive Files, Classified Documents, Technical Schematics, Source Code, , Personal Details, Professional Profile, Educational Background, Cover Letter, Resume Content, , Sensitive Information, Sensitive Data, Personal Information, , Vpn Authentication Data, Cli Command History, Network Packet Captures, Potential Government Data, , Classified Government Documents, Espionage-Related Data, Fraud/Money Laundering Records, Foreign Agent Activities, , Corporate Network Credentials, Stolen Data (Unspecified), Non-Sensitive Files (Cisco Box Folder) and .

Incident Response Plan: The company's incident response plan is described as Cisco Security Advisory (2024-09-25), CISA Emergency Directive (24-hour patching mandate), NCSC (UK) Threat Report, , , .

Third-Party Assistance: The company involves third-party assistance in incident response through U.K. National Cyber Security Centre (NCSC), Canadian Centre for Cyber Security, , Five Eyes Intelligence Alliance, Cisco Internal Teams, , Cisco Cybersecurity Experts, , The Shadowserver Foundation (Threat Monitoring), Greynoise (Early Warning Scans), , FBI Investigation, Symantec (Threat Intelligence), Kaspersky (Decryption Tool), , FBI, international law enforcement (Italy), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Patches provided to users, Suggested updates to remediate risk, , Patching, Software updates and patches, Update to the latest firmware versions, , Monitor system logs for unauthorized root access, Examine /var/log/active/syslog/secure file for indicators of compromise, , Upgrade to ISE 3.3 Patch 7 or ISE 3.4 Patch 2, , Apply patches and enhanced fixed releases, Update to 3.3 Patch 7 and 3.4 Patch 2, Apply free software updates provided by Cisco, , Apply software updates to affected FMC versions, Review RADIUS authentication configurations, , Applying security patches for CVE-2025-20352, CVE-2025-20240, and CVE-2025-20149, , Firmware analysis to detect RayInitiator/LINE VIPER, Replacement of end-of-support (EoS) devices, Implementation of Secure Boot/Trust Anchor on newer models, , Patching vulnerabilities (CVE-2024-20353, CVE-2024-20359), Addressing cyber vulnerabilities in Cisco devices, , Apply Cisco Patches for CVE-2025-20333 and CVE-2025-20362, Follow Cisco Hardening Guidelines, , Kaspersky released free decrypter (2022), , No workarounds; mandatory patching, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by took action to contain and eradicate the bad actors, , disable the out-of-band ap image download feature, network segmentation, multi-factor authentication (mfa), disable unnecessary services, implement strict firewall rules, regular auditing of administrative accounts, , apply patch ciscocm.cscwp27755_d0247-1.cop.sha512, upgrade to 15su3 release, , immediate patching, apply security updates, disable radius authentication (switch to ldap/saml/local accounts), , urgent patching advisory issued by cisco, , limiting snmp access to trusted users (temporary mitigation), , cisco patches for cve-2025-20362, cve-2025-20333, cve-2025-20363, urgent advisories for updates, disabling vpn web services on vulnerable devices, , urgent patching of cisco asa vulnerabilities, emergency directives (e.g., u.s. cisa's midnight deadline for federal agencies), , cisa directive to identify affected devices, data collection and threat assessment using cisa tools, , restrict vpn web interface exposure, disconnect end-of-support (eos) asa devices, increase logging/monitoring for suspicious vpn logins, , immediate software upgrade to patched versions (e.g., 2.3.7.10-va) and .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through U.S. Federal Charges (hacking, theft, extortion), Plea Deal (2025-10-29), Extradition from Italy (2023), , arrest (Italy, January 2024), extradition to U.S., guilty plea (October 29, 2024), charges: unlawful transfer of means of identification, trafficking in access information, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, conspiracy to commit money laundering, .

Key Lessons Learned: The key lessons learned from past incidents are The critical importance of maintaining updated systems and monitoring access control within corporate environments to prevent data breaches and maintain operational integrity.Immediate patching and auditing of wireless infrastructure to identify exposed systems.Immediate patching or system updates are the only effective mitigation strategy for critical vulnerabilities.Immediate patching is crucial for mitigating critical vulnerabilitiesProactive internal security testing can uncover critical vulnerabilities before exploitation (discovered by Brandon Sakai of Cisco).,Vulnerabilities in authentication systems (e.g., RADIUS) can have severe impacts if input validation is insufficient.,Lack of workarounds for critical flaws underscores the importance of patch management and alternative mitigation strategies (e.g., disabling vulnerable features).Critical importance of patching network security management systems promptly,Risks associated with improper input validation in authentication protocols,Need for defense-in-depth when using RADIUS for administrative accessEnd-of-support (EoS) devices pose significant risks even if functional,Advanced threat actors leverage multi-stage malware (bootkits + shellcode loaders) to evade detection,Persistence mechanisms (e.g., ROMMON modifications) can survive reboots/upgrades on legacy hardware,VPN web services are a high-value target for APT groups,Secure Boot/Trust Anchor technologies are critical for mitigating firmware-level attacksProactive Patching is Critical for Zero-Day Vulnerabilities,Exposed VPN Interfaces Are High-Risk Targets,Federal Directives Can Accelerate Response in Critical Infrastructure,Threat Intelligence Sharing (e.g., Shadowserver, Greynoise) Provides Early WarningsInitial access brokers play a critical role in ransomware ecosystems, enabling attacks by selling pre-compromised access.,Threat actors often masquerade as other nationalities (e.g., Yanluowang posed as Chinese but was Russian).,Cryptocurrency tracing and digital breadcrumbs (e.g., email, Apple ID) are vital for attribution.,Collaboration between cybersecurity firms (Symantec, Kaspersky) and law enforcement (FBI) can disrupt ransomware operations.,Leaked internal chats can expose operational details and debunk threat actor personas.Proactive internal vulnerability discovery (via TAC) highlights the importance of rigorous code review.,Lack of workarounds underscores the need for timely patch management in critical infrastructure.,Observer-level accounts can serve as attack vectors; least-privilege principles must be enforced.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Configure proper network segmentation, Collaboration with cybersecurity agencies (e.g., CSE, CISA, NCSC) for threat intelligence sharing., Disable unnecessary services, Enhanced monitoring for signs of compromise, especially in legacy systems., Prioritize security updates for VPN and remote access infrastructure., Implement strict firewall rules, Apply the patches as directed in the vendor's bulletin., Users should patch immediately., Organizations should prioritize updating affected systems immediately., Update to the latest firmware versions, Immediate patching of Cisco ASA vulnerabilities as per vendor and cyber agency guidelines., Review and update incident response plans for state-sponsored APTs., Organizations should disable the Out-of-Band AP Image Download feature and apply software updates., Implement multi-factor authentication (MFA), Monitor for suspicious activities in SIEM systems, Regularly audit user accounts with administrative privileges and Verify ISE versions and apply necessary patches.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: BleepingComputer, and Source: Cisco DisclosureDate Accessed: 2025-05-07, and Source: Cisco Security AdvisoryDate Accessed: 2025-07-01, and Source: California Office of the Attorney GeneralDate Accessed: 2016-10-25, and Source: zerodayinitiative.comUrl: https://www.zerodayinitiative.com, and Source: Cisco Security Advisory: CVE-2025-20265Url: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-KLJ98X7QDate Accessed: August 2025, and Source: Cisco August 2025 Semiannual Security Advisory Bundled PublicationUrl: https://sec.cloudapps.cisco.com/security/center/publicationListing.xDate Accessed: August 2025, and Source: Cisco Security Advisory, and Source: Cisco PSIRT Advisory, and Source: U.K. National Cyber Security Centre (NCSC)Date Accessed: 2025-09-25, and Source: Cisco Security AdvisoryDate Accessed: 2025-09, and Source: Canadian Centre for Cyber Security AdvisoryDate Accessed: 2025-09, and Source: CBC NewsUrl: https://www.cbc.ca/news/politics/cisco-cyberattack-cse-warning-1.7240000Date Accessed: 2024-06-20, and Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA) Emergency DirectiveUrl: https://www.cisa.gov/news-events/directivesDate Accessed: 2024-06-20, and Source: Canadian Centre for Cyber Security (CSE) AdvisoryUrl: https://cyber.gc.ca/en/guidanceDate Accessed: 2024-06-20, and Source: UK National Cyber Security Centre (NCSC) WarningUrl: https://www.ncsc.gov.uk/newsDate Accessed: 2024-06-20, and Source: Cisco Security Advisory (ArcaneDoor)Url: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-arcane-door-2024Date Accessed: 2024-06-20, and Source: BloombergDate Accessed: 2025-09-28, and Source: Wired, and Source: CISA Directive (September 25, 2025)Date Accessed: 2025-09-25, and Source: Cisco Security Advisory (CVE-2025-20333)Url: [1]Date Accessed: 2024-09-25, and Source: Cisco Security Advisory (CVE-2025-20362)Url: [2]Date Accessed: 2024-09-25, and Source: The Shadowserver Foundation - Vulnerable Cisco ASA/FTD Scan ReportDate Accessed: 2024-09-29, and Source: CISA Emergency Directive on Cisco ASA/FTD VulnerabilitiesDate Accessed: 2024-09-25, and Source: UK NCSC Threat Report on Line Viper and RayInitiator MalwareDate Accessed: 2024-09-29, and Source: Greynoise - Early Warning on Cisco ASA ScansDate Accessed: 2024-09-04, and Source: U.S. Department of Justice (Court Documents)Date Accessed: 2025-10-29, and Source: Seamus Hughes (Reporter, Unsealed Documents), and Source: Symantec (Yanluowang Discovery, 2021)Date Accessed: 2021-10, and Source: Kaspersky (Decrypter Release, 2022)Date Accessed: 2022, and Source: FBI Investigation (Cryptocurrency Tracing), and Source: Court Watch (Seamus Hughes), and Source: FBI affidavit (Special Agent Jeffrey Hunter), and Source: Blockchain analysis (ransom payments), and Source: Cisco Security Advisory.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public advisory and urgent calls for patching, Public Advisory Via Cisco’S August 2025 Semiannual Security Advisory Bundled Publication, Urgent Recommendation For Immediate Patching, Public Security Advisory Released By Cisco, Public Advisory Via Cisco Psirt, Recommendation For Immediate Patching, Public Advisories By Ncsc (2025-09-25), Cisco Security Bulletins, Canadian Centre For Cyber Security Alerts, Public Warnings By Cse (Canada), Cisa (U.S.), Ncsc (Uk), Media Statements (E.G., Cbc News), Collaboration With Five Eyes Alliance, Public Disclosure Via Bloomberg, Cisa Advisories, Cisco Security Advisories [1, 2], Cisa Emergency Directive, Ncsc Threat Report, Public Security Advisory and Direct Customer Notifications Via Tac.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Urgent Patching Recommended For All Affected Organizations., Customers Using Cisco Secure Fmc With Radius Enabled Should Apply Updates Or Disable Radius Immediately., , Cisco Customers Using Fmc With Radius Authentication, Public Security Advisory With Patch Instructions, , Cisco Psirt Advisory With Patching Guidance, Urgent Recommendation To Apply Patches Or Mitigate Snmp Access, , Urgent Patching Recommended For All Affected Organizations, Government Agencies Advised To Audit Asa Devices, Cisco Psirt Notifications, Public Security Bulletins, , Urgent Patching Directives For Federal Agencies (U.S.), Public Warnings For Critical Infrastructure Sectors (Canada, Uk, Five Eyes), Cisco Customer Notifications (Via Security Advisory), Guidance For Organizations Using Cisco Asa For Vpns, , Cisa Directives To Federal Agencies, Public Statements By Chris Butera (Cisa), Cisco Customers, Federal Civilian Executive Branch (Fceb) Agencies, Global Organizations Using Cisco Asa/Ftd, Apply Patches Immediately, Monitor For Indicators Of Compromise (Iocs), Review Vpn Access Logs For Unauthorized Activity, , Cisco Psirt Advisory With Fixed Software Details, Urgent Upgrade Notice For Affected Versions and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Monitor for suspicious activities in SIEM systems, Monitor system logs for unauthorized root access, Recommended: Monitor For Unauthorized Access Attempts Targeting Fmc Interfaces, , U.K. National Cyber Security Centre (Ncsc), Canadian Centre For Cyber Security, , Recommended For Asa/Ftd Devices, , Five Eyes Intelligence Alliance, Cisco Internal Teams, , Recommended (implied by urgency of patching and detection evasion concerns), Cisco Cybersecurity Experts, , Use Of Cisa Cybersecurity Tools For Threat Assessment, , The Shadowserver Foundation (Threat Monitoring), Greynoise (Early Warning Scans), , Monitor For Crafted Http Requests, Track Suspicious Vpn Logins, , Fbi Investigation, Symantec (Threat Intelligence), Kaspersky (Decryption Tool), , Fbi, International Law Enforcement (Italy), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Patches And Updates Provided To Users, , Patching, Software updates and disabling vulnerable features, Update To The Latest Firmware Versions, Configure Proper Network Segmentation, Implement Multi-Factor Authentication (Mfa), Disable Unnecessary Services, Implement Strict Firewall Rules, Regularly Audit User Accounts With Administrative Privileges, Monitor For Suspicious Activities In Siem Systems, , Apply Patch Ciscocm.Cscwp27755 D0247-1.Cop.Sha512, Upgrade To 15Su3 Release, , Apply Patches For Cve-2025-20337, , Apply patches and enhanced fixed releases, Update to 3.3 Patch 7 and 3.4 Patch 2, Released Patched Software Versions., Recommended Disabling Radius Authentication As A Temporary Mitigation., , Software Patch To Fix Input Handling, Enhanced Authentication Validation Mechanisms, , Patch Deployment (Cve-2025-20352, Others), Snmp Access Restrictions, , Accelerated Eos Timelines For Vulnerable Devices, Enhanced Firmware Integrity Checks In Asa Software, Improved Detection For Bootkit-Level Persistence, Collaboration With Ncsc/Cccs For Threat Intelligence Sharing, , Mandatory Vulnerability Assessments (Cisa Directive), Patch Management Enforcement, , Mandatory Patching Enforcement (E.G., Cisa Directive), Network Segmentation For Vpn Access Points, Enhanced Threat Detection For Malware (Line Viper, Rayinitiator), Accelerated End-Of-Support (Eos) Device Replacement, , Fbi Disruption Of Yanluowang Operations Via Arrest/Extradition Of Volkov., Kaspersky’S Public Release Of A Free Decrypter (2022)., Heightened Scrutiny Of Russian-Linked Threat Actors Masquerading As Other Nationalities., Emphasis On Tracing Cryptocurrency Transactions For Attribution., , Software Patch (Input Validation Fixes) Released In Versions 2.3.7.10-Va And Later, .

Ransom Payment History: The company has Paid ransoms in the past.

Last Ransom Demanded: The amount of the last ransom demanded was $1.5M+ (confirmed from two victims).

Last Attacking Group: The attacking group in the last incident were an Yanluowang ransomware gang, Unknown, Yanluowang Ransomware Gang, Sudhish Kasaba Ramesh, Yanluowang, Velvet Ant, Salt Typhoon, ArcaneDoorUAT4356Storm-1849Suspected China-linked state-sponsored group, State-sponsored actor (high confidence; linked to ArcaneDoor campaign), ArcaneDoor Hacker GroupRussian Hackers (for federal courts breach), Name: Aleksey Olegovich Volkov (aka 'chubaka.kor')Affiliation: ['Yanluowang Ransomware Gang', 'LockBit Ransomware Gang (alleged communication)']Nationality: RussianRole: Initial Access BrokerAliases: ['chubaka.kor', 'Alekseq Olegovi3 Volkov']Birthdate: 2000-03-20Cryptocurrency Wallets: ['Linked to Russian passport-verified account']Email: [email protected] Id: [email protected], Name: Aleksey Olegovich VolkovAliases: ['chubaka.kor', 'nets', '[email protected]', '[email protected]']Affiliation: ['Yanluowang ransomware group', 'potential link to LockBit ransomware gang']Nationality: RussianStatus: arrested (January 2024), extradited to U.S., pleaded guilty (October 29 and 2024).

Most Recent Incident Detected: The most recent incident detected was on 2018-09-24.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-10-29.

Most Recent Incident Resolved: The most recent incident resolved was on 2025-07-22.

Highest Financial Loss: The highest financial loss from an incident was $2,400,000.

Most Significant Data Compromised: The most significant data compromised in an incident were Cisco products or services, Sensitive customer data, Sensitive employee information, Intellectual property, Supply chain operations, , 3,176 files, 2,875,897,023 bytes in 2111 Directories, , non-sensitive files, classified documents, technical schematics, source code, , name, password, email address, phone number, security question answers, professional profile, educational background, cover letter, resume content, , Sensitive Information, Sensitive Data, names, addresses, emails, phone numbers, other sensitive data, , Potential exfiltration from government agencies, VPN credentials (via AAA bypass), CLI commands (harvested), Packet captures, , Classified documents (espionage, fraud, money laundering, foreign agent activities), and .

Most Significant System Affected: The most significant system affected in an incident were Cisco Small Business RV Series routers and 16,000 WebEx Teams accounts456 virtual machines and and and Splunk EnterpriseSplunk Cloud PlatformSplunk Secure Gateway app and and and Catalyst 9800-CL Wireless Controllers for CloudCatalyst 9800 series controllers and Catalyst 9800-CL Wireless Controllers for CloudCatalyst 9800 Embedded Wireless Controllers for Catalyst 9300/9400/9500 Series SwitchesCatalyst 9800 Series Wireless ControllersEmbedded Wireless Controller on Catalyst APs and Cisco UCS C-SeriesCisco UCS S-Series and Cisco Unified Communications ManagerCisco Unified Communications Manager Session Management Edition and Cisco ISE and ISE-PIC versions 3.4 and 3.3 and and Cisco Professional Careers mobile website and and Cisco Secure Firewall Management Center (FMC) Software (versions 7.0.7, 7.7.0 with RADIUS enabled) and Cisco Secure Firewall Management Center (FMC) Software (versions 7.0.7, 7.7.0) and Cisco devices running vulnerable IOS/IOS XE Software with SNMP enabled and Cisco ASA 5500-X Series (5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X)Devices running Cisco ASA Software 9.12 or 9.14 with VPN web services enabled and Cisco Adaptive Security Appliances (ASA)VPN-enabled systems used by remote workers and Cisco Adaptive Security Appliance (ASA)Firepower Threat Defense (FTD) softwareHundreds of Cisco firewall devicesU.S. federal courts computer systems and and and Cisco Catalyst Center Virtual Appliances on VMware ESXi (versions 2.3.7.3-VA and later, excluding 3.1+).

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was u.k. national cyber security centre (ncsc), canadian centre for cyber security, , five eyes intelligence alliance, cisco internal teams, , cisco cybersecurity experts, , the shadowserver foundation (threat monitoring), greynoise (early warning scans), , fbi investigation, symantec (threat intelligence), kaspersky (decryption tool), , fbi, international law enforcement (italy), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Took action to contain and eradicate the bad actors, Disable the Out-of-Band AP Image Download feature, Network segmentationMulti-factor authentication (MFA)Disable unnecessary servicesImplement strict firewall rulesRegular auditing of administrative accounts, Apply patch ciscocm.CSCwp27755_D0247-1.cop.sha512Upgrade to 15SU3 release, Immediate patching, Apply security updates, Disable RADIUS authentication (switch to LDAP/SAML/local accounts), Urgent patching advisory issued by Cisco, Limiting SNMP access to trusted users (temporary mitigation), Cisco patches for CVE-2025-20362, CVE-2025-20333, CVE-2025-20363Urgent advisories for updatesDisabling VPN web services on vulnerable devices, Urgent Patching of Cisco ASA VulnerabilitiesEmergency Directives (e.g., U.S. CISA's midnight deadline for federal agencies), CISA directive to identify affected devicesData collection and threat assessment using CISA tools, Restrict VPN Web Interface ExposureDisconnect End-of-Support (EoS) ASA DevicesIncrease Logging/Monitoring for Suspicious VPN Logins, Immediate software upgrade to patched versions (e.g. and 2.3.7.10-VA).

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Sensitive Data, cover letter, VPN credentials (via AAA bypass), CLI commands (harvested), professional profile, 2,875,897,023 bytes in 2111 Directories, Sensitive Information, classified documents, addresses, name, security question answers, emails, source code, Supply chain operations, password, other sensitive data, Potential exfiltration from government agencies, Packet captures, non-sensitive files, technical schematics, email address, resume content, Cisco products or services, Sensitive customer data, educational background, Sensitive employee information, Classified documents (espionage, fraud, money laundering, foreign agent activities), phone numbers, 3,176 files, phone number, Intellectual property and names.

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was U.S. Federal Charges (hacking, theft, extortion), Plea Deal (2025-10-29), Extradition from Italy (2023), , arrest (Italy, January 2024), extradition to U.S., guilty plea (October 29, 2024), charges: unlawful transfer of means of identification, trafficking in access information, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, conspiracy to commit money laundering, .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Observer-level accounts can serve as attack vectors; least-privilege principles must be enforced.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Monitor for signs of exploitation (e.g., unexpected SNMP traffic, DoS symptoms), Implement strict firewall rules, Monitor dark web forums for initial access brokerage activity targeting your industry., Upgrade affected Cisco Catalyst Center Virtual Appliances to version 2.3.7.10-VA or later immediately., Implement multi-factor authentication (MFA) and least-privilege access to thwart initial access brokers., Organizations should disable the Out-of-Band AP Image Download feature and apply software updates., Upgrade to fixed software releases immediately, Immediately patch affected Cisco Secure FMC Software (versions 7.0.7, 7.7.0) to the latest release., Enable multi-factor authentication for FMC access where possible, Configure proper network segmentation, Prioritize this vulnerability as a 'priority-one' patching scenario due to its critical severity (CVSS 10.0) and potential for unauthenticated remote code execution., Monitor authentication logs for anomalous activity, Apply the patches as directed in the vendor's bulletin., Users should patch immediately., Organizations should prioritize updating affected systems immediately., Implement network segmentation for firewall management interfaces, Enable Secure Boot and Trust Anchor on supported devices, Deploy Enhanced Monitoring for Suspicious HTTP Requests and VPN Logins, Audit user roles to minimize Observer-level access where unnecessary., Conduct forensic analysis of ASA firmware for signs of RayInitiator/LINE VIPER, Review Administrator credential security post-compromise, Disable RADIUS authentication if patching is not immediately feasible, and switch to LDAP, SAML SSO, or local accounts., Verify ISE versions and apply necessary patches, Review and harden RADIUS authentication configurations, Disable VPN web services if not essential, Follow CISA and NCSC Guidelines for Hardening Network Perimeters, Leverage threat intelligence sharing to identify emerging ransomware strains like Yanluowang., Disable unnecessary services, Prioritize security updates for VPN and remote access infrastructure., Immediately Patch CVE-2025-20333 and CVE-2025-20362 on All Cisco ASA/FTD Devices, Conduct Threat Hunting for 'Line Viper' and 'RayInitiator' Malware, Subscribe to vendor security advisories (e.g., Cisco PSIRT) for real-time alerts., Deploy network segmentation to limit lateral movement, Monitor for unusual CLI command activity or syslog suppression, Immediately patch CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363, Monitor for unusual authentication attempts or command execution on FMC systems until patches are applied., Immediate patching of Cisco ASA vulnerabilities as per vendor and cyber agency guidelines., Prepare for double-extortion tactics (data encryption + exfiltration) in ransomware response plans., Monitor for suspicious activities in SIEM systems, Ensure devices have enough memory before upgrading, Immediately apply Cisco's patch for affected FMC versions (7.0.7, 7.7.0), Limit SNMP access to trusted users if patching is delayed, Collaboration with cybersecurity agencies (e.g., CSE, CISA, NCSC) for threat intelligence sharing., Enhanced monitoring for signs of compromise, especially in legacy systems., Implement behavioral detection for ICMP/TCP and WebVPN C2 traffic, Disconnect End-of-Support (EoS) Devices from Networks, Regularly audit cryptocurrency transactions for signs of ransomware payments., System administrators should take immediate action to mitigate risks, Update to the latest firmware versions, Review and update incident response plans for state-sponsored APTs., Implement multi-factor authentication (MFA), Test and confirm current configurations for hardware and software components, Restrict Public Exposure of VPN Web Interfaces, Monitor for unusual privilege escalation attempts or unauthorized account creation., Replace end-of-support Cisco ASA 5500-X Series devices, Regularly audit user accounts with administrative privileges and Conduct a review of all authentication mechanisms in enterprise firewall infrastructure to identify similar input validation risks..

Most Recent Source: The most recent source of information about an incident are FBI Investigation (Cryptocurrency Tracing), Canadian Centre for Cyber Security (CSE) Advisory, BleepingComputer, Cisco Security Advisory, Canadian Centre for Cyber Security Advisory, U.S. Department of Justice (Court Documents), UK NCSC Threat Report on Line Viper and RayInitiator Malware, Cisco Security Advisory (CVE-2025-20362), Greynoise - Early Warning on Cisco ASA Scans, Cisco PSIRT Advisory, CISA Emergency Directive on Cisco ASA/FTD Vulnerabilities, UK National Cyber Security Centre (NCSC) Warning, CBC News, Symantec (Yanluowang Discovery, 2021), Cisco Security Advisory: CVE-2025-20265, Cisco Security Advisory (ArcaneDoor), FBI affidavit (Special Agent Jeffrey Hunter), Blockchain analysis (ransom payments), Court Watch (Seamus Hughes), Kaspersky (Decrypter Release, 2022), Bloomberg, Seamus Hughes (Reporter, Unsealed Documents), U.K. National Cyber Security Centre (NCSC), zerodayinitiative.com, Cisco Disclosure, U.S. Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive, The Shadowserver Foundation - Vulnerable Cisco ASA/FTD Scan Report, California Office of the Attorney General, Cisco August 2025 Semiannual Security Advisory Bundled Publication, CISA Directive (September 25, 2025), Cisco Security Advisory (CVE-2025-20333) and Wired.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.zerodayinitiative.com, https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-KLJ98X7Q, https://sec.cloudapps.cisco.com/security/center/publicationListing.x, https://www.cbc.ca/news/politics/cisco-cyberattack-cse-warning-1.7240000, https://www.cisa.gov/news-events/directives, https://cyber.gc.ca/en/guidance, https://www.ncsc.gov.uk/news, https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-arcane-door-2024, [1], [2] .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing monitoring for exploitation attempts.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Urgent patching recommended for all affected organizations., Cisco customers using FMC with RADIUS authentication, Cisco PSIRT advisory with patching guidance, Urgent patching recommended for all affected organizations, Government agencies advised to audit ASA devices, Urgent patching directives for federal agencies (U.S.), Public warnings for critical infrastructure sectors (Canada, UK, Five Eyes), CISA directives to federal agencies, Public statements by Chris Butera (CISA), Cisco Customers, Federal Civilian Executive Branch (FCEB) Agencies, Global Organizations Using Cisco ASA/FTD, Cisco PSIRT advisory with fixed software details, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Customers using Cisco Secure FMC with RADIUS enabled should apply updates or disable RADIUS immediately., Public security advisory with patch instructions, Urgent recommendation to apply patches or mitigate SNMP access, Cisco PSIRT notificationsPublic security bulletins, Cisco customer notifications (via security advisory)Guidance for organizations using Cisco ASA for VPNs, Apply Patches ImmediatelyMonitor for Indicators of Compromise (IoCs)Review VPN Access Logs for Unauthorized Activity and Urgent upgrade notice for affected versions.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Smart Install Feature, Cisco switches, Hardcoded SSH credentials, Personal Google Account, Amazon Web Services, Compromised personal Google account, Crafted API requests and /aparchive/upload and /ap_spec_rec/upload/.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Since 2024 (ArcaneDoor group activity), Late August 2024 (Greynoise Scans), July 2021 – November 2022.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Credential Compromise via Voice Phishing, Erroneous Security Configuration, Zero-day vulnerability CVE-2024-20399, Remote Code Execution (RCE) through malicious file uploadsUnauthorized disclosure of sensitive information through privilege escalation, Unpatched Systems, Hardcoded tokens, Hard-coded JWT present in the Out-of-Band Access Point (AP) Image Download feature, Improper input validationInsufficient access controlsInadequate session validationJWT manipulationSession hijacking, Hardcoded SSH credentials left in the system during development phases, Insufficient user-supplied input validation checks, Insufficient validation of user-supplied input in specific APIs, Unsafe deserialization and command injection in the enableStrongSwanTunnel() method., Insufficient input validation in RADIUS authentication subsystem.Improper handling of user-supplied credentials during authentication., Improper input validation during RADIUS authenticationLack of sufficient privilege separation in authentication flow, Stack-based buffer overflow in SNMP subsystemInsufficient input validation for SNMP packets, Exploitation of unpatched zero-day vulnerabilities in legacy devicesLack of Secure Boot/Trust Anchor on ASA 5500-X SeriesUse of end-of-support hardware in critical infrastructureInsufficient logging/monitoring for advanced evasion techniques, Exploitation of unpatched vulnerabilities in Cisco ASATargeting of legacy systemsState-sponsored actor sophistication, Unpatched zero-day vulnerabilities in Cisco devicesInsufficient monitoring of high-value targets, Delayed Patching of Zero-Day VulnerabilitiesOver-Exposure of VPN Interfaces to the Public InternetLack of Temporary Mitigations (No Workarounds Available)Insufficient Monitoring for Early Indicators of Exploitation, Insufficient network segmentation allowing lateral movement post-initial access.Lack of detection for initial access brokerage activity.Vulnerabilities in Yanluowang’s encryption algorithm (later exploited by Kaspersky for decrypter).Use of cryptocurrency for ransom payments enabling anonymity., initial access brokerage enabling ransomware deploymentcredential theft/exploitationpotential vulnerabilities in corporate networks, Insufficient validation of user-supplied input in HTTP requests.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Patches and updates provided to users, Patching, Software updates and disabling vulnerable features, Update to the latest firmware versionsConfigure proper network segmentationImplement multi-factor authentication (MFA)Disable unnecessary servicesImplement strict firewall rulesRegularly audit user accounts with administrative privilegesMonitor for suspicious activities in SIEM systems, Apply patch ciscocm.CSCwp27755_D0247-1.cop.sha512Upgrade to 15SU3 release, Apply patches for CVE-2025-20337, Apply patches and enhanced fixed releases, Update to 3.3 Patch 7 and 3.4 Patch 2, Released patched software versions.Recommended disabling RADIUS authentication as a temporary mitigation., Software patch to fix input handlingEnhanced authentication validation mechanisms, Patch deployment (CVE-2025-20352, others)SNMP access restrictions, Accelerated EoS timelines for vulnerable devicesEnhanced firmware integrity checks in ASA softwareImproved detection for bootkit-level persistenceCollaboration with NCSC/CCCS for threat intelligence sharing, Mandatory vulnerability assessments (CISA directive)Patch management enforcement, Mandatory Patching Enforcement (e.g., CISA Directive)Network Segmentation for VPN Access PointsEnhanced Threat Detection for Malware (Line Viper, RayInitiator)Accelerated End-of-Support (EoS) Device Replacement, FBI disruption of Yanluowang operations via arrest/extradition of Volkov.Kaspersky’s public release of a free decrypter (2022).Heightened scrutiny of Russian-linked threat actors masquerading as other nationalities.Emphasis on tracing cryptocurrency transactions for attribution., Software patch (input validation fixes) released in versions 2.3.7.10-VA and later.