CISCO Backdoor Malware Overview
This report is about a critical Cisco Security Manager path traversal vulnerability that is being tracked as CVE-2020-27130. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to gain access to sensitive data and download files from the targeted device. Cisco has released software updates that remediate this vulnerability in the affected product versions.
Tactics, Techniques and Procedures
CVE-2020-27130 is a critical Cisco Security Manager path traversal vulnerability that could lead to a remote attacker accessing and manipulating sensitive data. This vulnerability is due to improper validation of directory traversal character sequences in requests sent to devices running the vulnerable software versions. The software weakness involved in CVE-2020-27130 is CWE-35 (Path Traversal). CWE-35 is present when software does not properly neutralize character sequences that resolve to locations outside of the restricted directory. This allows an attacker to traverse the file system to gain access to sensitive data.
An unauthenticated, remote attacker could exploit CVE-2020-27130 by sending a crafted request to a vulnerable device. Successful exploitation could allow the attacker to view sensitive data and download arbitrary files from the targeted host.
The only products known to be affected by CVE-2020-27130 are Cisco Security Manager versions 4.21 and prior.
When targeting Joomla systems, the malware downloads zip files called joomlahide.zip and joomla.zip from the domain shellx[.]org. One zip file contains a backdoor built for uploading files and the other archive contains the An0n_3xPloiTeR web shell. The An0n_3xPloiTeR is designed to deface websites, change the colors of the site, inject code, logout/self-removal options, and much more.
Business Unit Impact
- Could lead to unauthorized access, manipulation, and exfiltration of sensitive company data
Recommendations
Companies using one of the affected Cisco Security Manager versions, are encouraged to verify that the latest version available is in use and if this is not the case to update to this version to remediate against this threat in your environment.
Sources
• NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-27130
• CVE-2020-27130: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27130
• Cisco Security Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgRMITRE
• CWE-35: https://cwe.mitre.org/data/definitions/35.html
MITRE ATT&CK Techniques:
• Exploitation of Remote Services (T1210): https://attack.mitre.org/techniques/T1210/
• File and Directory Discovery (T1083): https://attack.mitre.org/techniques/T1083/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.