[TheRecord] Cisco: Security devices are vulnerable to SNIcat data exfiltration technique

Networking equipment vendor Cisco said today that some of its security products fail to detect and stop traffic to malicious servers that abuse a technique called SNIcat to covertly steal data from inside corporate networks.

Affected devices include Cisco firewalls running FTD (Firepower Threat Defense) software, devices running the WSA (Web Security Appliance) modules, and all ISA3000 (Industrial Security Appliance) firewalls.

What is SNIcat?

First disclosed in August 2020SNIcat is a data exfiltration technique discovered by Norwegian security firm mnemonic.

In particular, mnemonic researchers discovered that many popular network security devices were checking user traffic against their block-lists after the user’s device negotiated a TLS handshake.

Starting from this premise, the mnemonic team developed a simple proof-of-concept Python script that would take sensitive information from a compromised computer and hide it inside the TLS Client Hello packet, which is exchanged at the beginning of a TLS handshake, and before the user’s connection was checked for possible suspicious traffic.

Image: mnemonic

Last year, mnemonic said they had limited resources at their disposal and were only able to test a handful of devices for SNIcat exfiltration; however, they said that more vendors were also likely to be blind to this technique.

Today, Cisco became the fourth major network security vendor—after F5 Networks, Fortinet, and Palo Alto Networks—to formally admit that its devices can be bypassed using the SNIcat technique.

Check Point said its devices were not vulnerable.

Cisco is currently investigating several other device models and is expected to release patches and detection rules. See the company’s official advisory for future updates.

Additional details on the SNIcat technique are also available in the video below, showing the mnemonic team presenting its findings at the Black Hat Europe 2020 security conference.

The post Cisco: Security devices are vulnerable to SNIcat data exfiltration technique appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2019-09-01

Latest Sextortion Email Scheme Sent by ChaosCC Hacker Group www.bleepingcomputer.com/news/security/latest-sextortion-email-scheme-sent-by-chaoscc-hacker-group/ A new sextortion scam is underway that claims to be from the ChaosCC hacker group who states they infected the recipient’s computer with a Trojan that videoed them on adult web sites. If you received this email, it is important to know from the beginning […]

Read More

[BleepingComputer] Cisco fixes 6-month-old AnyConnect VPN zero-day with exploit code

Cisco has fixed a six-month-old zero-day vulnerability found in the Cisco AnyConnect Secure Mobility Client VPN software, with publicly available proof-of-concept exploit code. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] Vulnerabilities Allow Hackers to Disrupt, Hijack Schneider PowerLogic Devices

All posts, Security Week

Vulnerabilities discovered in some older Schneider Electric PowerLogic products can allow hackers to remotely take control of devices or disrupt them. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.