Get Help Now

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:


    Date: 10/18/2023

    Cisco IOS XE Zero-Day Vulnerability 


    Cisco has issued a critical advisory about a zero-day vulnerability, CVE-2023-20198, that is being actively exploited. This vulnerability allows the unauthorized creation of a privileged account on affected devices, granting full control over the compromised system. The flaw resides in the Web User Interface of Cisco IOS XE software, affecting devices with the HTTP or HTTPS Server feature exposed to the Internet or untrusted networks. 

    Potential Impact

    The severity of this vulnerability is critical (CVSS 10.0) and allows attackers to create privileged accounts, potentially leading to unauthorized control of the compromised device. Exploitation enables threat actors to execute malicious commands at the system or IOS level. Attackers could use this as an initial vector to launch additional attacks against an internal network. The exploit seems relatively easy to execute.

    Recommended Actions

    It is strongly recommended that Internet access to the Web User interface be removed. Refer to the Cisco security advisory for specific mitigation steps:

    Administrators should also check for indicators of compromise if running a vulnerable device. It is also wise to ensure critical systems are protected and monitored with Endpoint Detection & Response software for visibility into potential post-exploitation activity.

    Request Consultation

    For a complimentary consultation, fill out the form below and we will be in touch soon.

      Number of Employees - select one:
      Industry - select one:


      Ransomware Groups Targeting Unpatched WS_FTP Servers


      Internet-exposed WS_FTP servers are being targeted in ransomware attacks due to an unpatched critical severity vulnerability, CVE-2023-40044. This vulnerability is caused by a .NET deserialization vulnerability in the Ad Hoc Transfer Module.

      Potential Impact

      The vulnerability allows unauthenticated attackers to execute commands on the underlying OS remotely through the Ad Hoc Transfer Module. Successful exploitation could result in more severe attacks such as encryption of data and potential financial loss.

      Recommended Actions

      It is strongly recommended that administrators upgrade to the latest patched version (8.8.2) of WS_FTP Server to prevent potential exploitation. A mitigation step could be disabling the Ad Hoc Transfer Module if patching is not feasible. Additionally, it is recommended that regular vulnerability scanning be performed so that critical level vulnerabilities can be identified and addressed promptly.


      AvosLocker Ransomware Targeting Critical Infrastructure 


      The AvosLocker ransomware gang has been identified as targeting critical infrastructure in the U.S. The gang employs ransomware-as-a-service (RaaS) operations so initial attack vectors may vary. However, GreyCastle Security has observed external vulnerability exploitation and social engineering to be common attack vectors of ransomware groups.  

      Potential Impact

      AvosLocker leverages open-source tools and living-off-the-land tactics such as RDP, PowerShell, Windows batch scripts. Cobalt Strike activity may also be observed for command and control. The threat actor may also leverage tools such as Rclone or Filezilla for data exfiltration.

      Recommended Actions

      The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following to mitigate AvosLocker ransomware: 

      • Restrict or secure the use of remote access tools like AnyDesk, Atera, and similar. 
      • Restrict the use of RDP internally. Where possible, ensure RDP access to critical systems is only permitted from jump hosts. 
      • Restrict the use of PowerShell. 

      Ensure Internet-facing systems are regularly scanned for vulnerabilities. Furthermore, ensure any management interfaces are not openly accessible from the Internet.  


      How can we help?

      If you need assistance with any of the Threats identified today or any other cybersecurity concerns, compliance issues or questions, please reach out through the contact button below.  We stand ready to assist!

      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Consent to display content from - Youtube
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us