This "Breaking News" edition of the Storm Watch podcast begins with the introduction of
themselves and their guest, Mark from Censys. They discuss the recent surge in activity around a new Cisco IOS vulnerability and the subsequent system implants, noting that approximately 41,983 hosts had this implant installed, an increase of about 5,000 to 6,000 from the previous day. The unique nature of this implant is discussed, highlighting that it does not persist through reboots or maintenance, but attackers can establish a more permanent threshold or entry point post-implant pre-reboot.
They also discuss the development of a scan profile for this vulnerability, facilitated by information provided by Talos in their blog post. Distribution of the affected hosts is examined, noting they are spread across many different autonomous system organizations, likely small businesses or residential users who received their devices from their Internet Service Providers (ISPs). They also note many entities scanning for this vulnerability, some unknown, indicating opportunistic behavior.
The podcast concludes with a discussion on the severity of this vulnerability, providing top-tier, or "God mode," access to networks, and encourages listeners to stay informed and safe, expressing hope to not report another breaking news issue before their next scheduled episode. Be sure to check out the GreyNoise blog for more details and updates on this active vulnerability.
