Take devices offline until patched: Analyst
A large probing attack against Cisco devices was reported in August, noted Robert Beggs, head of Canadian incident response firm DigitalDefence. At the time, he said, it was suggested that this would be a prelude to a widespread vulnerability exploitation. “In this case, at least, the Cisco vulnerability was expected,” he said. “The detection of wide-scale probing of devices appears to be a reliable predictor of a following attack.”
Because the vulnerabilities at the root of the attack can both be remotely exploited, affected devices should be taken offline until the patch is applied and verified to be in place, Beggs recommended.
It’s telling “and somewhat startling,” he added, that the CISA directive asks US federal agencies to supply memory files for forensic analysis on a “near immediate” timeline for all public-facing Cisco ASA hardware appliances.
