Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-Feb-2024 01:57:50 JST Kevin Beaumont
- GreyNoise
⚠️ Patch Cisco AnyConnect/ASA
I've just been looking at data from @greynoise and other firms.
There has been a significant uptick in scanning for Cisco AnyConnect VPN devices. 95% of the IPs doing it are tagged as malicious, not researchers or IoT search engines.
Additionally, there is a ballooning of exploitation attempts, which appear to be attempts to remotely fingerprint version numbers.
In conversation about a year ago from cyberplace.social permalink
Attachments
1. Untitled attachment
  https://cyberplace.social/system/media_attachments/files/111/891/245/692/833/126/original/f002874c19d92b66.png
- Embed this notice
  Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-Feb-2024 02:04:02 JST Kevin Beaumont
  in reply to
  
  Ransomware linked groups appear to have joined the AnyConnect train in anger at the beginning of February.
  
  In conversation about a year ago permalink
- Embed this notice
  Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-Feb-2024 02:04:58 JST Kevin Beaumont
  in reply to
  
  It builds on this situation with Akira, LockBit have also joined the fun. https://www.kyberturvallisuuskeskus.fi/en/news/finnish-organisations-targeted-akira-ransomware
  In conversation about a year ago permalink
  Attachments
  1. Untitled attachment
    https://cyberplace.social/system/media_attachments/files/111/891/275/100/494/121/original/5feaee55c5d5c6e2.png
  2. Domain not in remote thumbnail source whitelist: www.kyberturvallisuuskeskus.fi
    
    Finnish organisations targeted by Akira ransomware | NCSC-FI
    
    The National Cyber Security Centre Finland received 12 reports of Akira ransomware cases from Finnish organisations in 2023. The incidents were particularly related to weakly secured Cisco VPN implementations or their unpatched vulnerabilities. Recovery is usually hard.
- Embed this notice
  Seth Mos (databeestje@noc.social)'s status on Thursday, 08-Feb-2024 03:16:11 JST Seth Mos
  in reply to
  - GreyNoise
  @GossiTheDog @greynoise We see a massive jump in scans on our PA since this weekend. From 200-500 to 5-10k. Mostly Bulgaria
  
  In conversation about a year ago permalink
- Embed this notice
  Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-Feb-2024 03:20:40 JST Kevin Beaumont
  in reply to
  
  Here's an example AnyConnect CVE, which started being yeeted this week (saml strings in GET request). 100% tagged as malicious in GreyNoise.
  In conversation about a year ago permalink
  Attachments
  1. Untitled attachment
    https://cyberplace.social/system/media_attachments/files/111/891/575/358/265/627/original/9f77fc2b134e7b6b.png
- Embed this notice
  Fafner [_KeyZee_] (f_kz_@infosec.exchange)'s status on Thursday, 08-Feb-2024 05:16:21 JST Fafner [_KeyZee_]
  - ludiofines
  @ludiofines @GossiTheDog Walt to see if your company appears on RansomLook 😝just kidding , no public checker ftm :(
  
  In conversation about a year ago permalink
- Embed this notice
  ludiofines (ludiofines@cyberplace.social)'s status on Thursday, 08-Feb-2024 05:17:11 JST ludiofines
  - Fafner [_KeyZee_]
  @F_kZ_ @GossiTheDog i was already thinking about that last week tbh. let's see...
  
  In conversation about a year ago permalink
- Embed this notice
  brsn (brsn@infosec.exchange)'s status on Thursday, 08-Feb-2024 07:04:16 JST brsn
  in reply to
  
  @GossiTheDog do you know which CVE this is?
  
  In conversation about a year ago permalink
- Embed this notice
  SIEM Shady (cdubbs@infosec.exchange)'s status on Thursday, 08-Feb-2024 07:04:16 JST SIEM Shady
  in reply to
  - brsn
  @brsn @GossiTheDog Is this in reference to the older CVE-2020-3259?
  
  In conversation about a year ago permalink

Public

Conversation

Notices

Feeds