Cisco Talos Company CyberSecurity Posture
talosintelligence.com
Cisco Talos is one of the largest and most trusted providers of cutting-edge security research globally. We provide the data Cisco Security products and services use to take action. The key differentiator of Talos is our process — seeing what is happening broadly across the threat landscape, acting on that data rapidly and meaningfully, and driving protection. Integral to that process is that Talos has more visibility than any other security vendor in the world and unique capabilities and scale in intelligence. The core mission at Talos is to provide verifiable and customizable defensive technologies and techniques that help customers quickly protect their assets. Our job is protecting your network.
Company Details
cisco-talos-intelligence-group
237
25,159
541514
talosintelligence.com
0
CIS_1877933
In-progress
Cisco Talos Risk Score (AI oriented)Between 650 and 699
Cisco Talos Global Score (TPRM)XXXX
Description: APT41, a China-linked cyber threat group, compromised a Taiwanese government-affiliated research institute employing sophisticated tools like ShadowPad and Cobalt Strike. The attack involved exploiting vulnerabilities in Microsoft Office to initiate payload delivery, followed by document exfiltration, persistent access through web shells, and sophisticated evasion techniques. The institute suffered a breach of security systems resulting in the leakage of sensitive documents, possibly impacting governmental operations and data security. This incident has emphasized the need for robust cybersecurity measures within institutions that are integral to national infrastructure.
Description: Cisco Talos researchers identified a new threat by a North Korea-linked APT group known as Kimsuky, which deployed a remote access trojan called MoonPeak. Although the specific targets have not been publicly disclosed, the RAT, evolved from XenoRAT, suggests a highly sophisticated espionage campaign. This could potentially lead to significant data breaches, intellectual property theft, and security compromise. The involvement of a nation-state actor and the continuous development of MoonPeak imply the possibility of critical impacts on infrastructure and geopolitical stability.
Description: Threat actors exploited a zero-day remote code execution (RCE) vulnerability (**CVE-2025-20352**) in older, unpatched Cisco networking devices (9400, 9300, and legacy 3750G series) to deploy a **Linux rootkit** named *Operation Zero Disco*. The rootkit grants persistent access, allows log manipulation, bypasses authentication (AAA/VTY ACLs), and enables lateral movement across VLANs via ARP spoofing. Attackers also attempted to exploit **CVE-2017-3881**, a 7-year-old flaw in Cisco’s Cluster Management Protocol. The malware installs fileless hooks into the IOSd process, disappearing after reboots, and leaves no reliable detection method—requiring low-level firmware/ROM analysis for confirmation. While newer switches have partial ASLR protections, sustained targeting could still compromise them. The attack risks **unauthorized network control, data exfiltration, and lateral expansion** within corporate or critical infrastructure environments. No public reports confirm data theft, but the rootkit’s capabilities enable stealthy, long-term persistence for future exploits. Trend Micro warns that compromised devices may serve as launchpads for broader attacks, though no direct financial, reputational, or operational damages (e.g., outages, data leaks) were explicitly documented in the article.
Description: CISA issued an emergency directive ordering US federal agencies to urgently patch two actively exploited zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) in **Cisco Adaptive Security Appliances (ASA) and Firepower firewalls**. The flaws—enabling **remote code execution (RCE)** and **privilege escalation**—were linked to a **state-sponsored threat actor** (same group behind the 2023–2024 *ArcaneDoor* campaign). The attacker deployed **custom malware** to disable logging, prevent forensic analysis, and install a persistent backdoor by modifying the **ROMMON bootloader**. Despite repeated warnings, over **32,000 unpatched internet-facing devices** remained exposed as of October 2025, risking **full system compromise, lateral movement across networks, and potential data exfiltration**. CISA mandated immediate firmware updates or decommissioning of legacy devices, emphasizing that even **non-public-facing appliances** were at risk. The vulnerabilities’ exploitation could grant attackers **unrestricted access to critical infrastructure**, enabling espionage, disruption of government services, or further attacks on interconnected systems. The directive also expanded to include three additional actively exploited flaws in the **KEV catalog**, underscoring the escalating threat to federal networks.
No incidents recorded for Cisco Talos in 2025.
No incidents recorded for Cisco Talos in 2025.
No incidents recorded for Cisco Talos in 2025.
Cisco Talos cyber incidents detection timeline including parent company and subsidiaries
Cisco Talos is one of the largest and most trusted providers of cutting-edge security research globally. We provide the data Cisco Security products and services use to take action. The key differentiator of Talos is our process — seeing what is happening broadly across the threat landscape, acting on that data rapidly and meaningfully, and driving protection. Integral to that process is that Talos has more visibility than any other security vendor in the world and unique capabilities and scale in intelligence. The core mission at Talos is to provide verifiable and customizable defensive technologies and techniques that help customers quickly protect their assets. Our job is protecting your network.
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk — endpoints and cloud workloads, identity and data. Powered by the CrowdStrike Security Cloud and world-clas
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest s
.png)
This holiday season, as teams run lean and cyber threats rise, being open with what — and how — you share can protect both information and...
Cisco Talos has released its Incident Trends report for the third quarter of 2025, presenting new findings on ransomware activity,...
Public-facing applications have overtaken other entry points as the primary target for cybercriminals, according to Cisco Talos' Q3 2025...
In the ever-evolving landscape of cybersecurity, where threats multiply faster than defenses can adapt, open-source tools like ClamAV have...
Martin muses on how agentic AI is bringing efficiency improvements to the business of cyber crime.
In this week's newsletter, Amy recounts her journey from Halloween festivities to unraveling the story of the 2022 Viasat satellite hack,...
This blog demonstrates a proof of concept using LangChain and OpenAI, integrated with Cisco Umbrella API, to provide AI agents with...
This edition, Hazel explores the origins of Guy Fawkes Day and how heeding an anonymous warning prevented an assassination.
New Cisco Talos data shows that in the second half of 2025, the ransomware group Qilin continued publishing victim information on its leak...
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
The official website of Cisco Talos is https://talosintelligence.com/.
According to Rankiteo, Cisco Talos’s AI-generated cybersecurity score is 693, reflecting their Weak security posture.
According to Rankiteo, Cisco Talos currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
According to Rankiteo, Cisco Talos is not certified under SOC 2 Type 1.
According to Rankiteo, Cisco Talos does not hold a SOC 2 Type 2 certification.
According to Rankiteo, Cisco Talos is not listed as GDPR compliant.
According to Rankiteo, Cisco Talos does not currently maintain PCI DSS compliance.
According to Rankiteo, Cisco Talos is not compliant with HIPAA regulations.
According to Rankiteo,Cisco Talos is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Cisco Talos operates primarily in the Computer and Network Security industry.
Cisco Talos employs approximately 237 people worldwide.
Cisco Talos presently has no subsidiaries across any sectors.
Cisco Talos’s official LinkedIn profile has approximately 25,159 followers.
Cisco Talos is classified under the NAICS code 541514, which corresponds to Others.
No, Cisco Talos does not have a profile on Crunchbase.
Yes, Cisco Talos maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/cisco-talos-intelligence-group.
As of November 29, 2025, Rankiteo reports that Cisco Talos has experienced 4 cybersecurity incidents.
Cisco Talos has an estimated 2,799 peer or competitor companies worldwide.
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Breach and Cyber Attack.
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with trend micro (investigation and analysis), and containment measures with low-level firmware and rom region investigation recommended for suspected compromises, and remediation measures with patching cve-2025-20352 and cve-2017-3881, remediation measures with replacing or reimaging compromised devices (due to fileless persistence), and communication strategy with cisco psirt bulletin (updated october 6), communication strategy with trend micro research report, and enhanced monitoring with recommended for snmp and udp traffic anomalies, and and third party assistance with shadowserver foundation (threat detection), third party assistance with cisco (patch guidance), and and containment measures with firmware updates to patched versions, containment measures with decommissioning of legacy/unsupported devices, containment measures with network segmentation (implied), and remediation measures with mandatory patching by december 3, 2025, remediation measures with replacement of unsupported hardware, remediation measures with cisa follow-ups with non-compliant agencies, and communication strategy with cisa emergency directive 25-03 (2025-09-25), communication strategy with public advisories, communication strategy with stakeholder notifications, and and .
Title: APT41 Compromise of Taiwanese Government-Affiliated Research Institute
Description: APT41, a China-linked cyber threat group, compromised a Taiwanese government-affiliated research institute employing sophisticated tools like ShadowPad and Cobalt Strike. The attack involved exploiting vulnerabilities in Microsoft Office to initiate payload delivery, followed by document exfiltration, persistent access through web shells, and sophisticated evasion techniques. The institute suffered a breach of security systems resulting in the leakage of sensitive documents, possibly impacting governmental operations and data security. This incident has emphasized the need for robust cybersecurity measures within institutions that are integral to national infrastructure.
Type: Cyber Espionage
Attack Vector: Vulnerabilities in Microsoft OfficeWeb Shells
Vulnerability Exploited: Microsoft Office Vulnerabilities
Threat Actor: APT41
Motivation: Cyber Espionage
Title: Kimsuky APT Group Deploys MoonPeak RAT
Description: Cisco Talos researchers identified a new threat by a North Korea-linked APT group known as Kimsuky, which deployed a remote access trojan called MoonPeak. Although the specific targets have not been publicly disclosed, the RAT, evolved from XenoRAT, suggests a highly sophisticated espionage campaign. This could potentially lead to significant data breaches, intellectual property theft, and security compromise. The involvement of a nation-state actor and the continuous development of MoonPeak imply the possibility of critical impacts on infrastructure and geopolitical stability.
Type: Espionage Campaign
Attack Vector: Remote Access Trojan (RAT)
Threat Actor: Kimsuky
Motivation: Espionage
Title: Exploitation of CVE-2025-20352 in Cisco Networking Devices via 'Operation Zero Disco'
Description: Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in older, unprotected Cisco networking devices (Cisco 9400, 9300, and legacy 3750G series) to deploy a Linux rootkit and gain persistent access. The rootkit, dubbed 'Operation Zero Disco,' features a UDP controller capable of toggling logs, bypassing security controls, and enabling lateral movement. The attacks also attempted to exploit CVE-2017-3881, a seven-year-old vulnerability in Cisco's Cluster Management Protocol. The rootkit is fileless, disappearing after reboot, and no reliable detection tool currently exists for compromised switches.
Date Publicly Disclosed: 2024-10-06
Type: unauthorized access
Attack Vector: exploitation of public-facing application (SNMP)privilege escalationfileless malwareUDP-based command-and-control
Vulnerability Exploited: CVE-2025-20352 (SNMP RCE in Cisco IOS/IOS XE)CVE-2017-3881 (Cluster Management Protocol RCE in Cisco IOS/IOS XE)
Title: Active Exploitation of Cisco ASA and Firepower Firewall Vulnerabilities (CVE-2025-20333, CVE-2025-20362)
Description: CISA has ordered US federal agencies to address two actively exploited zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362) in Cisco Adaptive Security Appliances (ASA) and Firepower firewalls. The vulnerabilities, allowing remote code execution (CVE-2025-20333) and privilege escalation (CVE-2025-20362), are linked to a state-sponsored threat actor responsible for the 2023–2024 ArcaneDoor campaign. Despite patches, ~32,000 unpatched internet-facing appliances remain vulnerable. CISA mandates firmware updates for all devices (including non-public-facing) and decommissioning of legacy/unsupported systems. Additional vulnerabilities (CVE-2025-12480, CVE-2025-62215, CVE-2025-9242) were also added to CISA’s KEV catalog with a December 3, 2025, remediation deadline.
Date Detected: 2025-01-01
Date Publicly Disclosed: 2025-09-25
Type: Vulnerability Exploitation
Attack Vector: Remote Code Execution (RCE)Privilege EscalationCustom Malware (Backdoor Persistence)ROMMON Modification
Vulnerability Exploited: CVE-2025-20333 (Cisco ASA/Firepower - RCE)CVE-2025-20362 (Cisco ASA/Firepower - Privilege Escalation)
Threat Actor: State-sponsored actor (linked to 2023–2024 ArcaneDoor campaign)
Motivation: EspionagePersistenceData Exfiltration
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Microsoft Office Vulnerabilities, SNMP service (CVE-2025-20352)Cluster Management Protocol (CVE-2017-3881), Unpatched Cisco ASA/Firepower appliances (internet-facing and internal)Zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362).
Data Compromised: Sensitive documents
Systems Affected: Security Systems
Operational Impact: Possible impact on governmental operations and data security
Data Compromised: Data breaches, Intellectual property theft
Systems Affected: Cisco 9400 series switchesCisco 9300 series switchesCisco 3750G series switches (legacy)
Operational Impact: persistent unauthorized accessbypassed logging and AAA/VTY ACLslateral movement across VLANspotential for ARP spoofing and firewall rule bypass
Brand Reputation Impact: potential erosion of trust in Cisco device security
Systems Affected: ~32,000 unpatched internet-facing Cisco ASA/Firepower appliances (down from ~48,000)
Operational Impact: Potential disruption of federal agency networksRisk of persistent backdoor access
Brand Reputation Impact: Potential reputational damage to US federal agenciesErosion of public trust in cybersecurity posture
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Sensitive Documents, Intellectual Property and .
Entity Name: Taiwanese Government-Affiliated Research Institute
Entity Type: Government
Industry: Research
Location: Taiwan
Entity Name: Cisco Systems, Inc.
Entity Type: corporation
Industry: networking hardware/software
Location: global
Size: large enterprise
Entity Name: Federal Civilian Executive Branch (FCEB) Agencies
Entity Type: Government
Industry: Public Sector
Location: United States
Entity Name: Organizations using Cisco ASA/Firepower appliances
Entity Type: Government, Private Sector
Location: Global (predominantly US)
Incident Response Plan Activated: True
Third Party Assistance: Trend Micro (Investigation And Analysis).
Containment Measures: low-level firmware and ROM region investigation recommended for suspected compromises
Remediation Measures: patching CVE-2025-20352 and CVE-2017-3881replacing or reimaging compromised devices (due to fileless persistence)
Communication Strategy: Cisco PSIRT bulletin (updated October 6)Trend Micro research report
Enhanced Monitoring: recommended for SNMP and UDP traffic anomalies
Incident Response Plan Activated: True
Third Party Assistance: Shadowserver Foundation (Threat Detection), Cisco (Patch Guidance).
Containment Measures: Firmware updates to patched versionsDecommissioning of legacy/unsupported devicesNetwork segmentation (implied)
Remediation Measures: Mandatory patching by December 3, 2025Replacement of unsupported hardwareCISA follow-ups with non-compliant agencies
Communication Strategy: CISA Emergency Directive 25-03 (2025-09-25)Public advisoriesStakeholder notifications
Network Segmentation: True
Third-Party Assistance: The company involves third-party assistance in incident response through Trend Micro (investigation and analysis), , Shadowserver Foundation (threat detection), Cisco (patch guidance), .
Type of Data Compromised: Sensitive Documents
Sensitivity of Data: High
Data Exfiltration: Yes
Type of Data Compromised: Intellectual property
Data Exfiltration: Potential (via custom backdoor)
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: patching CVE-2025-20352 and CVE-2017-3881, replacing or reimaging compromised devices (due to fileless persistence), , Mandatory patching by December 3, 2025, Replacement of unsupported hardware, CISA follow-ups with non-compliant agencies, .
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by low-level firmware and rom region investigation recommended for suspected compromises, , firmware updates to patched versions, decommissioning of legacy/unsupported devices, network segmentation (implied) and .
Regulations Violated: CISA Emergency Directive 25-03 (non-compliance), FISMA (potential),
Regulatory Notifications: CISA KEV catalog updatesMandatory reporting for FCEB agencies
Lessons Learned: Need for robust cybersecurity measures within institutions that are integral to national infrastructure
Lessons Learned: Legacy Cisco devices without ASLR remain highly vulnerable to RCE exploits even after patches are available., Fileless rootkits can persist undetected across reboots, complicating forensic investigations., SNMP and UDP-based attacks can bypass traditional security controls (e.g., firewalls, ACLs)., Lack of EDR/XDR solutions on networking devices creates blind spots for defenders.
Lessons Learned: Incomplete patching (e.g., updating to still-vulnerable versions) undermines mitigation efforts., Legacy/unsupported devices pose significant risks and must be decommissioned., State-sponsored actors leverage zero-days for long-term persistence (e.g., ROMMON backdoors)., Public-facing appliances are not the only attack surface; internal devices must also be patched.
Recommendations: Immediately patch CVE-2025-20352 and CVE-2017-3881 on all Cisco IOS/IOS XE devices., Deploy EDR/XDR solutions capable of monitoring networking devices for anomalous behavior., Segment networks to limit lateral movement via VLANs., Monitor SNMP and UDP traffic for signs of exploitation (e.g., unexpected port listening, log tampering)., Conduct low-level firmware/ROM investigations if compromise is suspected (no reliable detection tools exist)., Replace or reimage devices confirmed to be compromised due to fileless persistence., Disable SNMP or restrict it to trusted management networks if not critically needed.Immediately patch CVE-2025-20352 and CVE-2017-3881 on all Cisco IOS/IOS XE devices., Deploy EDR/XDR solutions capable of monitoring networking devices for anomalous behavior., Segment networks to limit lateral movement via VLANs., Monitor SNMP and UDP traffic for signs of exploitation (e.g., unexpected port listening, log tampering)., Conduct low-level firmware/ROM investigations if compromise is suspected (no reliable detection tools exist)., Replace or reimage devices confirmed to be compromised due to fileless persistence., Disable SNMP or restrict it to trusted management networks if not critically needed.Immediately patch CVE-2025-20352 and CVE-2017-3881 on all Cisco IOS/IOS XE devices., Deploy EDR/XDR solutions capable of monitoring networking devices for anomalous behavior., Segment networks to limit lateral movement via VLANs., Monitor SNMP and UDP traffic for signs of exploitation (e.g., unexpected port listening, log tampering)., Conduct low-level firmware/ROM investigations if compromise is suspected (no reliable detection tools exist)., Replace or reimage devices confirmed to be compromised due to fileless persistence., Disable SNMP or restrict it to trusted management networks if not critically needed.Immediately patch CVE-2025-20352 and CVE-2017-3881 on all Cisco IOS/IOS XE devices., Deploy EDR/XDR solutions capable of monitoring networking devices for anomalous behavior., Segment networks to limit lateral movement via VLANs., Monitor SNMP and UDP traffic for signs of exploitation (e.g., unexpected port listening, log tampering)., Conduct low-level firmware/ROM investigations if compromise is suspected (no reliable detection tools exist)., Replace or reimage devices confirmed to be compromised due to fileless persistence., Disable SNMP or restrict it to trusted management networks if not critically needed.Immediately patch CVE-2025-20352 and CVE-2017-3881 on all Cisco IOS/IOS XE devices., Deploy EDR/XDR solutions capable of monitoring networking devices for anomalous behavior., Segment networks to limit lateral movement via VLANs., Monitor SNMP and UDP traffic for signs of exploitation (e.g., unexpected port listening, log tampering)., Conduct low-level firmware/ROM investigations if compromise is suspected (no reliable detection tools exist)., Replace or reimage devices confirmed to be compromised due to fileless persistence., Disable SNMP or restrict it to trusted management networks if not critically needed.Immediately patch CVE-2025-20352 and CVE-2017-3881 on all Cisco IOS/IOS XE devices., Deploy EDR/XDR solutions capable of monitoring networking devices for anomalous behavior., Segment networks to limit lateral movement via VLANs., Monitor SNMP and UDP traffic for signs of exploitation (e.g., unexpected port listening, log tampering)., Conduct low-level firmware/ROM investigations if compromise is suspected (no reliable detection tools exist)., Replace or reimage devices confirmed to be compromised due to fileless persistence., Disable SNMP or restrict it to trusted management networks if not critically needed.Immediately patch CVE-2025-20352 and CVE-2017-3881 on all Cisco IOS/IOS XE devices., Deploy EDR/XDR solutions capable of monitoring networking devices for anomalous behavior., Segment networks to limit lateral movement via VLANs., Monitor SNMP and UDP traffic for signs of exploitation (e.g., unexpected port listening, log tampering)., Conduct low-level firmware/ROM investigations if compromise is suspected (no reliable detection tools exist)., Replace or reimage devices confirmed to be compromised due to fileless persistence., Disable SNMP or restrict it to trusted management networks if not critically needed.
Recommendations: Verify firmware versions against CISA’s mitigation guidance to ensure *fully* patched status., Prioritize replacement of end-of-life Cisco ASA/Firepower devices., Implement network segmentation to limit lateral movement., Enhance logging and monitoring for signs of ROMMON tampering or custom malware., Conduct regular audits of internet-facing assets for unpatched vulnerabilities.Verify firmware versions against CISA’s mitigation guidance to ensure *fully* patched status., Prioritize replacement of end-of-life Cisco ASA/Firepower devices., Implement network segmentation to limit lateral movement., Enhance logging and monitoring for signs of ROMMON tampering or custom malware., Conduct regular audits of internet-facing assets for unpatched vulnerabilities.Verify firmware versions against CISA’s mitigation guidance to ensure *fully* patched status., Prioritize replacement of end-of-life Cisco ASA/Firepower devices., Implement network segmentation to limit lateral movement., Enhance logging and monitoring for signs of ROMMON tampering or custom malware., Conduct regular audits of internet-facing assets for unpatched vulnerabilities.Verify firmware versions against CISA’s mitigation guidance to ensure *fully* patched status., Prioritize replacement of end-of-life Cisco ASA/Firepower devices., Implement network segmentation to limit lateral movement., Enhance logging and monitoring for signs of ROMMON tampering or custom malware., Conduct regular audits of internet-facing assets for unpatched vulnerabilities.Verify firmware versions against CISA’s mitigation guidance to ensure *fully* patched status., Prioritize replacement of end-of-life Cisco ASA/Firepower devices., Implement network segmentation to limit lateral movement., Enhance logging and monitoring for signs of ROMMON tampering or custom malware., Conduct regular audits of internet-facing assets for unpatched vulnerabilities.
Key Lessons Learned: The key lessons learned from past incidents are Need for robust cybersecurity measures within institutions that are integral to national infrastructureLegacy Cisco devices without ASLR remain highly vulnerable to RCE exploits even after patches are available.,Fileless rootkits can persist undetected across reboots, complicating forensic investigations.,SNMP and UDP-based attacks can bypass traditional security controls (e.g., firewalls, ACLs).,Lack of EDR/XDR solutions on networking devices creates blind spots for defenders.Incomplete patching (e.g., updating to still-vulnerable versions) undermines mitigation efforts.,Legacy/unsupported devices pose significant risks and must be decommissioned.,State-sponsored actors leverage zero-days for long-term persistence (e.g., ROMMON backdoors).,Public-facing appliances are not the only attack surface; internal devices must also be patched.
Source: Cyber Incident Description
Source: Cisco PSIRT Advisory for CVE-2025-20352
URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-snmp-rce-20352
Date Accessed: 2024-10-06
Source: Trend Micro Research: 'Operation Zero Disco'
URL: https://www.trendmicro.com/en_us/research/24/j/operation-zero-disco-exploiting-cisco-zero-day.html
Date Accessed: 2024-10-06
Source: Indicators of Compromise (IoCs) for Operation Zero Disco
URL: https://www.trendmicro.com/en_us/what-is/indicators-of-compromise-ioc.html
Date Accessed: 2024-10-06
Source: CISA Emergency Directive 25-03
URL: https://www.cisa.gov/news-events/directives/emergency-directive-25-03
Date Accessed: 2025-09-25
Source: Cisco Security Advisory (CVE-2025-20333, CVE-2025-20362)
Date Accessed: 2025-09-25
Source: Shadowserver Foundation Report (Unpatched Appliances)
URL: https://www.shadowserver.org/news/ongoing-cisco-asa-firepower-exploitation/
Date Accessed: 2025-10-01
Source: ArcaneDoor Campaign Analysis (2023–2024)
URL: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-100a
Date Accessed: 2024-04-15
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Cyber Incident Description, and Source: Cisco PSIRT Advisory for CVE-2025-20352Url: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-snmp-rce-20352Date Accessed: 2024-10-06, and Source: Trend Micro Research: 'Operation Zero Disco'Url: https://www.trendmicro.com/en_us/research/24/j/operation-zero-disco-exploiting-cisco-zero-day.htmlDate Accessed: 2024-10-06, and Source: Indicators of Compromise (IoCs) for Operation Zero DiscoUrl: https://www.trendmicro.com/en_us/what-is/indicators-of-compromise-ioc.htmlDate Accessed: 2024-10-06, and Source: CISA Emergency Directive 25-03Url: https://www.cisa.gov/news-events/directives/emergency-directive-25-03Date Accessed: 2025-09-25, and Source: Cisco Security Advisory (CVE-2025-20333, CVE-2025-20362)Url: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-firepower-rce-privesc-XXXXXDate Accessed: 2025-09-25, and Source: Shadowserver Foundation Report (Unpatched Appliances)Url: https://www.shadowserver.org/news/ongoing-cisco-asa-firepower-exploitation/Date Accessed: 2025-10-01, and Source: ArcaneDoor Campaign Analysis (2023–2024)Url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-100aDate Accessed: 2024-04-15.
Investigation Status: ongoing (no reliable detection method; manual firmware analysis required)
Investigation Status: Ongoing (CISA tracking active exploitation; remediation deadline: 2025-12-03)
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Cisco Psirt Bulletin (Updated October 6), Trend Micro Research Report, Cisa Emergency Directive 25-03 (2025-09-25), Public Advisories and Stakeholder Notifications.
Stakeholder Advisories: Cisco Psirt Bulletin, Trend Micro Technical Report.
Customer Advisories: Cisco recommends patching and monitoring for suspicious UDP/SNMP activity
Stakeholder Advisories: Cisa Directives, Cisco Customer Notifications, Federal Agency Internal Briefings.
Customer Advisories: Cisco PSIRT advisoriesPublic warnings via CISA KEV catalog
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Cisco Psirt Bulletin, Trend Micro Technical Report, Cisco Recommends Patching And Monitoring For Suspicious Udp/Snmp Activity, , Cisa Directives, Cisco Customer Notifications, Federal Agency Internal Briefings, Cisco Psirt Advisories, Public Warnings Via Cisa Kev Catalog and .
Entry Point: Microsoft Office Vulnerabilities
Backdoors Established: Web Shells
High Value Targets: Sensitive Documents
Data Sold on Dark Web: Sensitive Documents
Entry Point: Snmp Service (Cve-2025-20352), Cluster Management Protocol (Cve-2017-3881),
Backdoors Established: ['Linux rootkit with UDP controller', "universal 'disco' password", 'fileless hooks in IOSd process']
High Value Targets: Networking Infrastructure (Switches), Lateral Movement Across Vlans,
Data Sold on Dark Web: Networking Infrastructure (Switches), Lateral Movement Across Vlans,
Entry Point: Unpatched Cisco Asa/Firepower Appliances (Internet-Facing And Internal), Zero-Day Vulnerabilities (Cve-2025-20333, Cve-2025-20362),
Backdoors Established: ['Custom ROMMON backdoor', 'Logging disablement', 'Crash dump prevention']
High Value Targets: Us Federal Agency Networks, Sensitive Government Data,
Data Sold on Dark Web: Us Federal Agency Networks, Sensitive Government Data,
Root Causes: Exploiting vulnerabilities in Microsoft Office
Root Causes: Unpatched Vulnerabilities (Cve-2025-20352, Cve-2017-3881) In Legacy Cisco Devices., Lack Of Edr/Xdr Coverage For Networking Hardware., Insufficient Monitoring Of Snmp And Udp Traffic For Anomalies., Fileless Malware Evading Traditional Detection Mechanisms.,
Corrective Actions: Accelerate Patch Deployment For Cisco Ios/Ios Xe Devices., Implement Network Segmentation To Limit Blast Radius., Develop Custom Detection Rules For Udp/Snmp-Based Rootkit C2 Traffic., Replace End-Of-Life Devices (E.G., 3750G Series) Lacking Modern Protections Like Aslr.,
Root Causes: Failure To Apply Comprehensive Patches (E.G., Updating To Intermediate Vulnerable Versions), Persistence Of Legacy/Unsupported Devices In Critical Networks, Insufficient Validation Of Patch Effectiveness, State-Sponsored Actor’S Use Of Zero-Days With Custom Malware For Stealth,
Corrective Actions: Mandatory Firmware Validation Against Cisa’S Approved Versions, Accelerated Decommissioning Of End-Of-Life Hardware, Enhanced Supply Chain Risk Management For Network Devices, Expanded Threat Hunting For Rommon-Based Persistence Mechanisms,
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Trend Micro (Investigation And Analysis), , Recommended For Snmp And Udp Traffic Anomalies, , Shadowserver Foundation (Threat Detection), Cisco (Patch Guidance), , .
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Accelerate Patch Deployment For Cisco Ios/Ios Xe Devices., Implement Network Segmentation To Limit Blast Radius., Develop Custom Detection Rules For Udp/Snmp-Based Rootkit C2 Traffic., Replace End-Of-Life Devices (E.G., 3750G Series) Lacking Modern Protections Like Aslr., , Mandatory Firmware Validation Against Cisa’S Approved Versions, Accelerated Decommissioning Of End-Of-Life Hardware, Enhanced Supply Chain Risk Management For Network Devices, Expanded Threat Hunting For Rommon-Based Persistence Mechanisms, .
Last Attacking Group: The attacking group in the last incident were an APT41, Kimsuky and State-sponsored actor (linked to 2023–2024 ArcaneDoor campaign).
Most Recent Incident Detected: The most recent incident detected was on 2025-01-01.
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-09-25.
Most Significant Data Compromised: The most significant data compromised in an incident were Sensitive Documents, , Data Breaches, Intellectual Property Theft and .
Most Significant System Affected: The most significant system affected in an incident was Security Systems and Cisco 9400 series switchesCisco 9300 series switchesCisco 3750G series switches (legacy) and .
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was trend micro (investigation and analysis), , shadowserver foundation (threat detection), cisco (patch guidance), .
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were low-level firmware and ROM region investigation recommended for suspected compromises and Firmware updates to patched versionsDecommissioning of legacy/unsupported devicesNetwork segmentation (implied).
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Intellectual Property Theft, Sensitive Documents and Data Breaches.
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Public-facing appliances are not the only attack surface; internal devices must also be patched.
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement network segmentation to limit lateral movement., Deploy EDR/XDR solutions capable of monitoring networking devices for anomalous behavior., Immediately patch CVE-2025-20352 and CVE-2017-3881 on all Cisco IOS/IOS XE devices., Conduct regular audits of internet-facing assets for unpatched vulnerabilities., Segment networks to limit lateral movement via VLANs., Enhance logging and monitoring for signs of ROMMON tampering or custom malware., Conduct low-level firmware/ROM investigations if compromise is suspected (no reliable detection tools exist)., Disable SNMP or restrict it to trusted management networks if not critically needed., Replace or reimage devices confirmed to be compromised due to fileless persistence., Monitor SNMP and UDP traffic for signs of exploitation (e.g., unexpected port listening, log tampering)., Verify firmware versions against CISA’s mitigation guidance to ensure *fully* patched status. and Prioritize replacement of end-of-life Cisco ASA/Firepower devices..
Most Recent Source: The most recent source of information about an incident are Trend Micro Research: 'Operation Zero Disco', Cyber Incident Description, Shadowserver Foundation Report (Unpatched Appliances), Cisco PSIRT Advisory for CVE-2025-20352, Indicators of Compromise (IoCs) for Operation Zero Disco, CISA Emergency Directive 25-03, Cisco Security Advisory (CVE-2025-20333, CVE-2025-20362) and ArcaneDoor Campaign Analysis (2023–2024).
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-snmp-rce-20352, https://www.trendmicro.com/en_us/research/24/j/operation-zero-disco-exploiting-cisco-zero-day.html, https://www.trendmicro.com/en_us/what-is/indicators-of-compromise-ioc.html, https://www.cisa.gov/news-events/directives/emergency-directive-25-03, https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-firepower-rce-privesc-XXXXX, https://www.shadowserver.org/news/ongoing-cisco-asa-firepower-exploitation/, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-100a .
Current Status of Most Recent Investigation: The current status of the most recent investigation is ongoing (no reliable detection method; manual firmware analysis required).
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Cisco PSIRT bulletin, Trend Micro technical report, CISA directives, Cisco customer notifications, Federal agency internal briefings, .
Most Recent Customer Advisory: The most recent customer advisory issued were an Cisco recommends patching and monitoring for suspicious UDP/SNMP activity and Cisco PSIRT advisoriesPublic warnings via CISA KEV catalog.
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Microsoft Office Vulnerabilities.
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Exploiting vulnerabilities in Microsoft Office, Unpatched vulnerabilities (CVE-2025-20352, CVE-2017-3881) in legacy Cisco devices.Lack of EDR/XDR coverage for networking hardware.Insufficient monitoring of SNMP and UDP traffic for anomalies.Fileless malware evading traditional detection mechanisms., Failure to apply comprehensive patches (e.g., updating to intermediate vulnerable versions)Persistence of legacy/unsupported devices in critical networksInsufficient validation of patch effectivenessState-sponsored actor’s use of zero-days with custom malware for stealth.
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Accelerate patch deployment for Cisco IOS/IOS XE devices.Implement network segmentation to limit blast radius.Develop custom detection rules for UDP/SNMP-based rootkit C2 traffic.Replace end-of-life devices (e.g., 3750G series) lacking modern protections like ASLR., Mandatory firmware validation against CISA’s approved versionsAccelerated decommissioning of end-of-life hardwareEnhanced supply chain risk management for network devicesExpanded threat hunting for ROMMON-based persistence mechanisms.
.png)
Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0.
Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.
Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue.
Improper Privilege Management vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from v2.9.0 through v2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue.
File upload vulnerability in HCL Technologies Ltd. Unica 12.0.0.
Get company history
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rapid