from the filled-to-the-brim-with-girlish-glee dept.
https://www.bleepingcomputer.com/news/security/hackers-exploit-cisco-snmp-flaw-to-deploy-rootkit-on-switches/
https://archive.ph/crr3o
Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in older, unprotected Cisco networking devices to deploy a Linux rootkit and gain persistent access.
The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges.
According to cybersecurity company Trend Micro, the attacks targeted Cisco 9400, 9300, and legacy 3750G series devices that did not have endpoint detection response solutions.
In the original bulletin for CVE-2025-20352, updated on October 6, Cisco tagged the vulnerability as exploited as a zero day, with the company's Product Security Incident Response Team (PSIRT) saying it was "aware of successful exploitation."
Trend Micro researchers track the attacks under the name 'Operation Zero Disco' because the malware sets a universal access password that contains the word "disco."
The report from Trend Micro notes that the threat actor also attempted to exploit CVE-2017-3881, a seven-year-old vulnerability in the Cluster Management Protocol code in IOS and IOS XE.
The rootkit planted on vulnerable systems features a UDP controller that can listen on any port, toggle or delete logs, bypass AAA and VTY ACLs, enable/disable the universal password, hide running configuration items, and reset the last write timestamp for them.
In a simulated attack, the researchers showed that it is possible to disable logging, impersonate a waystation IP via ARP spoofing, bypass internal firewall rules, and move laterally between VLANs.
Although newer switches are more resistant to these attacks due to Address Space Layout Randomization (ASLR) protection, Trend Micro says that they are not immune and persistent targeting could compromise them.
After deploying the rootkit, the malware "installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot," the researchers say.
The researchers were able to recover both 32-bit and 64-bit variants of the SNMP exploit.Trend Micro notes that there currently exists no tool that can reliably flag a compromised Cisco switch from these attacks. If there is suspicion of a hack, the recommendation is to perform a low-level firmware and ROM region investigation.
A list of the indicators of compromise (IoCs) associated with 'Operation Zero Disco' can be found here.
(Score: 2) by driverless on Thursday October 23, @11:45AM (4 children)
Simple Network Management Protocol? Is that some Cisco alternative name for its actual one, Security Not My Problem?
(Score: 0) by Anonymous Coward on Thursday October 23, @02:10PM (3 children)
https://datatracker.ietf.org/doc/html/rfc1157 [ietf.org]
SNMP is old and not a Cisco invented protocol. (In case you did not know)
(Score: 2) by VLM on Thursday October 23, @03:31PM (1 child)
I was there and I remember in the 90s you were some kind of idiot if you put your SNMP ports open on the internet, probably with default password of password, instead of putting SNMP on a dedicated management VLAN.
I have an Observium and a Zabbix on my management VM, other than managed switches. Their SSH ports are on yet another VLAN for server management. Zabbix does not do SNMP as well as Observium but sometimes its useful to have a "second opinion". Yes I already know "the cool kids said everyone is supposed to replace Observium with LibreNMS" I've already heard it, might even do it next year LOL.
(Score: 2) by driverless on Friday October 24, @06:17AM
I think the schedule you're looking at is ASAP: After September, August Possibly.
(Score: 3, Touché) by driverless on Friday October 24, @06:04AM
Whoosh.