Cisco issued an advisory for a flaw that the company has linked to exploits released by the Shadow Brokers group a month ago. The vulnerability (CVE-2016-6415), which has not yet been patched by the firewall manufacturer, affects Cisco IOS, Cisco IOS XE and Cisco IOS XR Software, and could be exploited by unauthenticated, remote attackers to execute arbitrary code. The vulnerability affects Internet Key Exchange (IKEv1) packet processing.
“Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms,” Cisco stated in the advisory.
Senrio CTO and founder Stephen Ridley told SCMagazine.com that researchers are more able to discover “the hallmark of a specific attack” following the release of code containing exploits affecting Cisco products.
Companies have likely been observing the behavior of their network traffic, he said. He told SCMagazine.com that he suspects new vulnerabilities “could have been discovered” through an examination of network traffic in the wild. The "1-day" tactic used to be primarily an offensive tool, he said, referring to the process of reverse engineering a vulnerability from a manufacture's patch.
"1-days" are highly valuable, Ridley noted, especially concerning networking equipment and embedded devices due to difficulties applying patches to embedded systems.
Core Security system engineer Bobby Kuzma found the latest discovery extremely worrisome. When it was believed that attacks were relegated to Cisco PIX devices, “that was not good,” he wrote in an email to SCMagazine.com. “There's still (conservatively) about 20,000 of the devices floating around on the public internet, never mind how many still exist inside corporate infrastructure.”
The main risk is that an attacker can gather credentials and move laterally throughout a network to gather more credentials, according to Nehemiah Security vice-president of product management Rob Brownsword. This ‘reconnaissance' step “precedes a zero-day attack in the kill chain,” he wrote to SCMagazine.com. “Increasingly we are seeing that these zero day attacks are customized to a particular system, or even a particular endpoint.”Kuzma predicted that patches for many of the devices affected by the flaw are unlikely to be deployed soon. He called the threat “a long-term bonanza” for attackers “wishing to intercept VPN communications for years to come.”