Cisco Patched Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways

As per CISCO, a new cyberattack campaign targeted a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

Earlier a month back, CISCO has warned that a China-linked hacking group is actively exploiting a previously unknown vulnerability in its Secure Email appliances to gain persistent access, forcing affected organizations to consider disruptive rebuilds of critical security infrastructure while patches remain unavailable.

CISCO disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686.

This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. The ongoing investigation has revealed evidence of a persistence mechanism implanted by the threat actors to maintain a degree of control over compromised appliances.

Cisco has remediated the vulnerability that was exploited by the threat actors as part of the cyberattack campaign. For more information about this vulnerability, see the Details section of this advisory.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Cisco strongly recommends that customers follow the guidance provided in the Recommendations section of this advisory to assess exposure and mitigate risks.

Affected Products

• Cisco has concluded its current investigation of this attack campaign. Cisco will update this advisory as appropriate as more information becomes available, although that is not currently anticipated.
• This attack campaign targets Cisco Secure Email Gateway, both physical and virtual, and Cisco Secure Email and Web Manager appliances, both physical and virtual, when all the following conditions are met:
• The appliance is running a vulnerable release of Cisco AsyncOS Software.The appliance is configured with the Spam Quarantine feature.
• The Spam Quarantine feature is exposed to and reachable from the internet.

Vulnerable Products

• The vulnerability exploited by the threat actors affects Cisco Secure Email Gateway, both physical and virtual, and Cisco Secure Email and Web Manager appliances, both physical and virtual, when the appliance is configured with the Spam Quarantine feature, which is not enabled by default.

The vulnerability has now been addressed in the following versions, in addition to removing the persistence mechanisms that were identified in this attack campaign and installed on the appliances –

Cisco Email Security Gateway

• Cisco AsyncOS Software Release 14.2 and earlier (Fixed in 15.0.5-016)
• Cisco AsyncOS Software Release 15.0 (Fixed in 15.0.5-016)
• Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-012)
• Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-016)

Secure Email and Web Manager

• Cisco AsyncOS Software Release 15.0 and earlier (Fixed in 15.0.2-007)
• Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-007)
• Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-010)

Deployment guides for these products do not require this feature to be directly exposed to the Internet.

Sources: Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager