Cybersecurity Threat Advisory 0072-20: Cisco Update to Global Intrusion Campaign
Cisco has reported that internal machines were compromised within one of their lab environments as a result of the vulnerability found in SolarWinds Orion. There were approximately two dozen computers compromised internally, which have reportedly already been identified and mitigated. While Cisco has reported that there is currently no known impact to their services, products, or customer data, and the incident is being monitored with “highest priority”.
Technical detail and additional information
What is the threat?
Many major organizations are coming forward and releasing statements to customers and users regarding their potential impact from the SolarWinds Orion compromise. The latest organization is Cisco, who have provided a comprehensive update concerning a roughly half a dozen of their internal devices that were compromised, and a list of common questions and answers customers might have. The majority of the press release is dedicated to assuaging customer fears that Cisco devices and services might be compromised because of this, but at this time they have stated “there is no evidence at this time to indicate customer data has been exposed as a result of this incident.” 1
What is the exposure or risk?
Cisco is a major player in effectively every IT related market. Between their hardware, software and services, Cisco has a vast user base that could be affected in the event of an internal compromise of the organization. However, the potential risk to customers as detailed in the Cisco press release seems to be nonexistent at this time. The organization has assured customers that there should be no impact to any products or services, and no compromise of customer data. Additionally, there was no indication that any attack is currently ongoing as a result of the compromised devices, nor have there been any attacks on other organizations because of Cisco’s compromise. Cisco has also elaborated that all currently identified compromised devices have been isolated from the network and are in the process of being remediated, and all currently known Indicators of Compromise (IOCs) are being blocked.
What are the recommendations?
Regardless of the fact that Cisco customers and users are not currently under any threat as a result of this internal compromise, Cisco has also included a pair of additional releases concerning Cisco Talos and the inclusion of the latest IOCs for Sunburst and other related exploits within their main article. Given that there is no reported fallout for users of Cisco products or services, there is no action to be taken by said users at this time.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.