Hackers manipulated six Cisco VIRL-PE servers already affected by critical SaltStack vulnerabilities.
Cisco fell prey to threat actors that managed to compromise six Cisco servers via two recently discovered vulnerabilities in SaltStack Salt.
Cisco went candid about the attack in an advisory and mentioned about vulnerabilities in Cisco Modeling Labs Corporate Edition (CML) and the Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE). The company mentioned these flaws were present in the open-source Salt management framework, which were deployed in Cisco network-tooling products.
More about the products
CML or Cisco Modeling Labs Corporate Edition is a product that offers a virtual sandbox environment to design and configure network topologies.
Second in this list is VIRL-PE or Cisco Virtual Internet Routing Lab Personal Edition, which is extensively used to configure, design, and operate networks using versions of Cisco’s operating systems.
Amongst the two products, six servers of VIRL-PE were successfully exploited by hackers. Listed below are the servers – 1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info and vsm-us-2.virl.info.
Details about the vulnerabilities
Earlier in May 2020, when the presence of two SaltStack vulnerabilities was announced by F-Secure, threat actors had proactively embarked on the journey to exploit them, and Cisco was amongst the victims.
More about the breach
As mentioned earlier, CML and VIRL-PE are the two products that were affected by a version of SaltStack vulnerabilities.
Cisco infrastructure maintained the salt-master servers used in VIRL were upgraded on May 7, 2020. Additionally, the tech giant identified that salt-master servers managed by the company to service Cisco VIRL-PE release 1.2 and 1.3 were compromised.
Cisco, on the same day, remediated affected servers with software updates to address these vulnerabilities to enable enterprise admins that installed these solutions on-premises.
Cisco did not reveal the final goal of the hackers; however, in previous attacks, the company mentioned that the intent was to install cryptocoin miners.