[TheRecord] Cisco: Security devices are vulnerable to SNIcat data exfiltration technique

Networking equipment vendor Cisco said today that some of its security products fail to detect and stop traffic to malicious servers that abuse a technique called SNIcat to covertly steal data from inside corporate networks.

Affected devices include Cisco firewalls running FTD (Firepower Threat Defense) software, devices running the WSA (Web Security Appliance) modules, and all ISA3000 (Industrial Security Appliance) firewalls.

What is SNIcat?

First disclosed in August 2020SNIcat is a data exfiltration technique discovered by Norwegian security firm mnemonic.

In particular, mnemonic researchers discovered that many popular network security devices were checking user traffic against their block-lists after the user’s device negotiated a TLS handshake.

Starting from this premise, the mnemonic team developed a simple proof-of-concept Python script that would take sensitive information from a compromised computer and hide it inside the TLS Client Hello packet, which is exchanged at the beginning of a TLS handshake, and before the user’s connection was checked for possible suspicious traffic.

Image: mnemonic

Last year, mnemonic said they had limited resources at their disposal and were only able to test a handful of devices for SNIcat exfiltration; however, they said that more vendors were also likely to be blind to this technique.

Today, Cisco became the fourth major network security vendor—after F5 Networks, Fortinet, and Palo Alto Networks—to formally admit that its devices can be bypassed using the SNIcat technique.

Check Point said its devices were not vulnerable.

Cisco is currently investigating several other device models and is expected to release patches and detection rules. See the company’s official advisory for future updates.

Additional details on the SNIcat technique are also available in the video below, showing the mnemonic team presenting its findings at the Black Hat Europe 2020 security conference.

The post Cisco: Security devices are vulnerable to SNIcat data exfiltration technique appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[NCSC-FI News] Kyberturvallisuus vaatii jatkuvaa työtä

Kybertoiminta on Ukrainan sodan aikana kasvanut kansainvälisessä toimintaympäristössä. Vaikka varsinaista uhkaa ei kohdistuisi yksittäiseen toimijaan Suomessa, ovat heijastevaikutukset mahdollisia Kriittisen infrastruktuurin yritysten ja organisaatioiden on hyvä tarkastaa, että suojaukset ja päivitykset ovat kunnossa, jotta kansalaisille elintärkeät toiminnot toimivat mahdollisimman häiriöttä “Vaikutukset voivat kuitenkin yltää täysin tilanteesta riippumattomiin kohteisiin. Kyberympäristön suojaus on jatkuvaa, mutta nykytilanteessa varotoimena […]

Read More

[SecurityWeek] Flaws in ABB Network Interface Modules Expose Industrial Systems to DoS Attacks

All posts, Security Week

Industrial technology giant ABB is working on patches for three high-severity vulnerabilities discovered by researchers in some of the company’s network interface modules. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ZDNet] Inside a ransomware incident: How a single mistake left a door open for attackers

All posts, ZDNet

There are many things you can do to protect yourself against cyberattacks – but if you still don’t do the basics, then it’s easy pickings for cyber criminals. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.