Summary of Bulletin:
- On April 24, 2024, Cisco Talos and several government security agencies published details on a sophisticated threat campaign focused on espionage and gaining unauthorized access to sensitive information from targeted government entities and organizations in critical infrastructure.
- While the initial access vector has not yet been identified in this campaign, Cisco is continuing to investigate the possibility of an unauthenticated Remote Code Execution (RCE) vulnerability.
- The campaign documented by Cisco involved the deployment of several malware implants to conduct malicious activities, including configuration modification, network traffic capture, and lateral movement.
- According to Cisco, the following vulnerabilities were abused by the threat actor to establish persistence on targeted devices:
- CVE-2024-20353: Denial-of-Service (DoS) - Allows an unauthenticated, remote attacker to cause a device to reload unexpectedly, leading to a DoS condition.
- CVE-2024-20359: Persistent Local Code Execution - Allows an authenticated, local attacker to execute arbitrary code with root-level privileges, provided they have administrator-level privileges.
