Malicious cyber threat actors are targeting Cisco Catalyst Software Defined Wide Area Networks (SD-WAN) used by organisations globally. These actors are compromising SD-WANs to add a malicious rogue peer and then conduct a range of follow-on actions to achieve root access and maintain persistent access to the SD-WAN.

This cluster of cyber threat activity has targeted organisations using Cisco Catalyst SD-WANs globally. A Hunt Guide has been prepared based on observations from various investigations which details tactics, techniques, and procedures (TTPs) leveraged by these malicious actors. The Hunt Guide aims to support network defenders to conduct detection and threat hunting activities and provides mitigation guidance to reduce the risk from the observed TTPs.

The Hunt Guide is being released by the following authoring and co-sealing agencies:

• Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
• Canadian Centre for Cyber Security (Cyber Centre)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK)
• United States Cybersecurity and Infrastructure Security Agency (CISA)
• United States National Security Agency (NSA)

Cisco has released software updates for Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller.

Organisations employing Cisco Catalyst SD-WAN should follow the priority actions detailed below.

Cisco Catalyst SD-WANs that have management interfaces exposed to the internet are at most risk of compromise. Management interfaces must never be exposed to the internet.

The authoring agencies strongly urge network defenders to follow these priority actions:

1. Perform threat hunting for evidence of compromise detailed in the Hunt Guide.
2. If you believe you have been compromised, collect artefacts from the device and, if you are in the UK, report it to the NCSC.
3. Update to the appropriate fixed latest version of Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller as detailed in their respective advisories.
4. Apply the Cisco Catalyst SD-WAN Hardening Guide.
5. Perform continuous threat hunting activities.

To reduce the risks to your networks, review the Cisco Catalyst SD-WAN Hardening Guide in full and take appropriate action, including but not limited to the following:

• Network perimeter controls
  • ensure control components are behind a firewall
  • isolate VPN 512 interfaces
  • use IP blocks for manually provisioned edge IPs

• SD-WAN manager access 
  • replace the self-signed certificate for the web user interface

• Control and data plane security
  • use pairwise keying

• Session timeout
  • limit to the shortest period possible

• Logging
  • forward to a remote syslog server

Any mitigation or eviction measures listed within are subject to change as new information becomes available and ongoing coordinated operations dictate. Network defenders should ensure any actions taken in response to the Hunt Guide are compliant with local laws and regulations within the jurisdictions within which they operate.

• Cisco Catalyst SD-WAN hardening guide
• ASD’s ACSC’s Cisco SD-WAN Threat Hunt Guide co-sealed by NSA, CISA, CCCS, NCSC-NZ and NCSC-UK

NCSC resources to help secure systems:

• Follow NCSC guidance including vulnerability management and preventing lateral movement.
• If your organisation is in the UK, you can sign up to the free NCSC Early Warning service to receive notifications of potential cyber threats on your network. If you are already an Early Warning user, please check your MyNCSC portal.
• The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.