TrendResearch has detected an operation where attackers exploited a Cisco Simple Network Management Protocol (SNMP) vulnerability to install a rootkit on vulnerable network devices.
The SNMP exploit referenced in Cisco’s latest advisory is CVE-2025-20352, which affects both 32-bit and 64-bit switch builds and can result in remote code execution (RCE). The operation targeted victims running older Linux systems that do not have endpoint detection response solutions, where they deployed Linux rootkits to hide activity and evade blue-team investigation and detection. Trend Research investigation also found that attackers used spoofed IPs and Mac email addresses in their attacks.
Read more…
Source: Trend Micro
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- From 12 to 21: How Kaspersky discovered connections between the Twelve and BlackJack groups
September 25, 2024
While analyzing attacks on Russian organizations, Kaspersky team regularly encounters overlapping tactics, techniques, and procedures (TTPs) among different cybercrime groups, and sometimes even shared tools. Kaspersky researchers recently discovered one such overlap: similar tools and tactics between two hacktivist groups – BlackJack and Twelve, which likely belong to a single cluster of activity. In this report, ...
- Ransomware Attackers Target Kansas Water Treatment Facility
September 24, 2024
On Sunday, a cyber attack on a water utility in Arkansas City, Kansas prompted its treatment facility to revert to manual operations. The city manager, Randy Frazer, confirmed that the water supply remains unaffected and safe, with no disruption to service reported. The plant’s manual operation is a precautionary measure to enhance security while the situation ...
- Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
September 23, 2024
Since 2022, Mandiant has tracked and reported on IT workers operating on behalf of the Democratic People’s Republic of Korea (DPRK). These workers pose as non-North Korean nationals to gain employment with organizations across a wide range of industries in order to generate revenue for the North Korean regime, particularly to evade sanctions and fund ...
- 100 million+ US citizens have records leaked by background check service
September 23, 2024
A background check left a huge database unprotected online containing 2.2TB of people’s data, according to research by Cybernews. The database was left passwordless and easily accessible to anyone on the internet by background check firm MC2 Data. MC2 Data gathers publicly available data to provide decision makers with information whether someone can rent a house, ...
- China accuses Taiwan-backed group of cyberattacks
September 23, 2024
The Ministry of State Security said a Taiwan military-backed hacking group has been carrying out cyberattacks against targets in China, urging people to report “anti-propaganda sabotage”. The ministry said since the beginning of this year, Anonymous 64 had sought to upload and broadcast “content that denigrates the mainland’s political system and major policies” on websites, outdoor ...
- How the Necro Trojan infiltrated Google Play, again
September 23, 2024
In late August 2024, Kaspersky researchers attention was drawn to a Spotify mod called Spotify Plus, version 18.9.40.5. At the time of writing this, the mod could be downloaded from spotiplusxyz and several related sites that linked to it. The original website claimed that the mod was certified, safe, and contained numerous additional features not found ...