1080*80 ad

Cisco ISE Bug Exploited in Attacks

Unpatched Cisco ISE Flaw Actively Exploited by Ransomware Gangs

Cybersecurity teams are on high alert as threat actors, including the notorious Akira ransomware group, are actively exploiting a critical vulnerability in Cisco’s Identity Services Engine (ISE). This flaw, if left unpatched, can provide attackers with complete control over a core component of your network’s security, effectively handing them the keys to the kingdom.

This is not a theoretical threat. Confirmed attacks are underway, making it imperative for organizations using Cisco ISE to take immediate action.

Understanding the Threat: CVE-2022-20867

The vulnerability at the heart of these attacks is tracked as CVE-2022-20867. It is a critical authentication bypass flaw found in the REST API of Cisco ISE. In simple terms, this bug allows an unauthenticated, remote attacker to craft a specific web request that tricks the system into granting them administrator privileges.

The flaw exists in how the system handles password verification, enabling an attacker to bypass security checks and create a new administrator account. Once they have this account, they have complete administrative control over the ISE appliance.

The High Stakes of an ISE Compromise

Cisco ISE is a foundational security product for many enterprises. It functions as a network’s central gatekeeper, enforcing policies to control who and what can access corporate resources. A compromised ISE appliance is a catastrophic security failure.

Attackers who successfully exploit this vulnerability can:

  • Gain Initial Network Access: By controlling the gatekeeper, they can create their own credentials to gain a foothold within your network.
  • Move Laterally: Once inside, they can use their privileged access to disable security policies, map the internal network, and move to other high-value systems.
  • Exfiltrate Sensitive Data: With administrative control, attackers can steal critical corporate information.
  • Deploy Ransomware: The ultimate goal for groups like Akira is to encrypt your entire network and demand a hefty ransom. An ISE compromise provides the perfect launchpad for such a devastating attack.

Security agencies have observed attackers exploiting this vulnerability to steal credentials and then using those credentials to connect to the network via VPN, often without needing to deploy malware initially, making the breach harder to detect.

Are You at Risk? Affected Cisco ISE Versions

This vulnerability affects specific versions of the software. Your systems are at high risk if you are running:

  • Cisco ISE Version 3.1 (and its service packs) without Patch 7, released in November 2022.
  • Cisco ISE Version 3.2 without Patch 3, released in January 2023.

Cisco has made security patches available for months, but any organization that has not yet applied them is a prime target for these ongoing attacks.

Actionable Steps to Protect Your Network

Protecting your organization requires a proactive and urgent response. If you are using Cisco ISE, you must take the following steps immediately.

  1. Apply Patches Now: This is the most critical step. Prioritize the deployment of the necessary security patches to eliminate the vulnerability. Ensure you are running a fully updated and supported version of the software.

  2. Hunt for Signs of Compromise: Since this vulnerability is being actively exploited, you must assume you may have already been targeted. Investigate your Cisco ISE logs for suspicious activity, including the creation of unauthorized administrator accounts or unexpected changes to security policies. Check for any unknown or rogue endpoints registered in the system.

  3. Restrict Access to the Management Interface: As a security best practice, the Cisco ISE management interface should never be exposed to the public internet. Access should be strictly limited to a secure, internal management network. If your interface is currently internet-facing, disable external access immediately.

  4. Monitor VPN and Network Logs: Keep a close eye on VPN logs for unusual login patterns, such as logins from unexpected geographic locations or at odd hours. Correlate these logs with ISE activity to detect potential abuse of stolen or newly created credentials.

This vulnerability serves as a stark reminder that even robust security tools require constant vigilance and maintenance. Failing to patch a known, critical flaw is an open invitation to cybercriminals who are actively searching for easy targets. Secure your network by patching your systems and verifying their integrity today.

Source: https://www.bleepingcomputer.com/news/security/exploit-available-for-critical-cisco-ise-bug-exploited-in-attacks/

900*80 ad

      1080*80 ad