Cisco has issued urgent warnings about a sophisticated hacking operation attributed to groups tied to China, which are leveraging a newly discovered zero-day vulnerability in its email security software. This exploit could give attackers complete control over compromised systems, according to the company's security team.
The campaign was first spotted on December 10, targeting
AsyncOS, the operating system powering Cisco's Secure Email Gateway and Secure
Email and Web Manager devices—available in both hardware and virtual forms. The
vulnerability kicks in when the "Spam Quarantine" feature is active
and the devices are exposed to the internet. While this feature isn't turned on
by default and doesn't require public access, any internet-facing setups are
vulnerable.
Experts like Michael Taggart from UCLA Health Sciences note
that these prerequisites narrow the potential attack surface, but it's still a
serious risk for exposed systems.
In a related development, researchers at Israeli firm Check
Point have highlighted the activities of a threat actor dubbed Velvet Ant. This
group has been running a long-term operation against an East Asian
organization, using outdated F5 BIG-IP appliances to maintain a foothold in
breached networks.
The zero-day in question, CVE-2024-20399, was quietly
exploited until it surfaced recently, leading Cisco to push out fixes. It
impacts a range of Cisco switches, including the MDS 9000 series and various
Nexus models (3000, 5500, 5600, 6000, 7000, and 9000). Cisco has rolled out
software updates and urges immediate patching.
For now, though, the only surefire fix for confirmed
breaches is a full wipe and rebuild of the affected devices' software—no quick
patch exists yet. "Rebuilding the appliances is currently the best way to
remove any persistent threats left by the attackers," Cisco advises.
Cisco Talos, the firm's threat intelligence unit, links
these hackers to Chinese state-sponsored operations. They've been using the
flaw to plant enduring backdoors, with the campaign active since at least late
November 2025. (Note: This date might be a reporting error; cross-check with official
sources for accuracy.)
If you're running any of these Cisco products, review your configurations, apply updates where possible, and consider isolating internet-facing systems to minimize exposure. For the latest details, head straight to Cisco's security advisories. Stay vigilant—cyber threats like this are evolving fast.
Cisco has issued urgent warnings about a sophisticated
hacking operation attributed to groups tied to China, which are leveraging a
newly discovered zero-day vulnerability in its email security software. This
exploit could give attackers complete control over compromised systems,
according to the company's security team.
The campaign was first spotted on December 10, targeting
AsyncOS, the operating system powering Cisco's Secure Email Gateway and Secure
Email and Web Manager devices—available in both hardware and virtual forms. The
vulnerability kicks in when the "Spam Quarantine" feature is active
and the devices are exposed to the internet. While this feature isn't turned on
by default and doesn't require public access, any internet-facing setups are
vulnerable.
Experts like Michael Taggart from UCLA Health Sciences note
that these prerequisites narrow the potential attack surface, but it's still a
serious risk for exposed systems.
In a related development, researchers at Israeli firm Check
Point have highlighted the activities of a threat actor dubbed Velvet Ant. This
group has been running a long-term operation against an East Asian
organization, using outdated F5 BIG-IP appliances to maintain a foothold in
breached networks.
The zero-day in question, CVE-2024-20399, was quietly
exploited until it surfaced recently, leading Cisco to push out fixes. It
impacts a range of Cisco switches, including the MDS 9000 series and various
Nexus models (3000, 5500, 5600, 6000, 7000, and 9000). Cisco has rolled out
software updates and urges immediate patching.
For now, though, the only surefire fix for confirmed
breaches is a full wipe and rebuild of the affected devices' software—no quick
patch exists yet. "Rebuilding the appliances is currently the best way to
remove any persistent threats left by the attackers," Cisco advises.
Cisco Talos, the firm's threat intelligence unit, links
these hackers to Chinese state-sponsored operations. They've been using the
flaw to plant enduring backdoors, with the campaign active since at least late
November 2025. (Note: This date might be a reporting error; cross-check with official
sources for accuracy.)
If you're running any of these Cisco products, review your configurations, apply updates where possible, and consider isolating internet-facing systems to minimize exposure. For the latest details, head straight to Cisco's security advisories. Stay vigilant—cyber threats like this are evolving fast.
By - Aaradhay Sharma
No comments:
Post a Comment