Exploitation of Cisco Catalyst SD-WAN

Key Takeaways

• Threat actors are actively targeting and compromising Cisco Catalyst SD-WANs globally.
• Attackers add malicious rogue peers to compromised SD-WANs to achieve root access and maintain persistent access.
• Cisco Catalyst SD-WANs with management interfaces exposed to the internet are at the highest risk of compromise.
• Cisco has released critical software updates for SD-WAN Manager and SD-WAN Controller.
• Multiple international cybersecurity agencies have co-authored a Hunt Guide to assist defenders in detection and mitigation.

Affected Systems

• Cisco Catalyst SD-WAN
• Cisco Catalyst SD-WAN Manager
• Cisco Catalyst SD-WAN Controller

Attack Chain

Threat actors target Cisco Catalyst SD-WAN environments, specifically seeking out management interfaces that are improperly exposed to the internet. After gaining initial access, the attackers manipulate the network configuration to add a malicious rogue peer. This rogue peer is then utilized to conduct follow-on actions, allowing the attackers to achieve root access and establish long-term persistence within the SD-WAN infrastructure.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article references a co-sealed Hunt Guide containing TTPs and detection strategies, but does not provide explicit detection rules in the text.

Detection Engineering Assessment

EDR Visibility: None — EDR agents are typically not supported or deployable on proprietary network appliances like Cisco Catalyst SD-WAN controllers and managers. Network Visibility: High — The attack involves adding rogue network peers and accessing management interfaces, which generates observable network traffic and configuration changes. Detection Difficulty: Moderate — Detecting the activity requires active monitoring of SD-WAN configuration changes (specifically peer additions) and auditing management interface access logs.

Required Log Sources

• SD-WAN Manager logs
• Syslog
• Firewall logs
• Authentication logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Identify unauthorized or unexpected peer additions within the SD-WAN environment.	SD-WAN Manager logs, Syslog	Persistence	Low
Detect access attempts to SD-WAN management interfaces originating from external or untrusted IP addresses.	Firewall logs, Network flow logs	Initial Access	Medium

Control Gaps

• Management interfaces exposed to the internet
• Lack of pairwise keying for control and data plane security
• Use of self-signed certificates for web user interfaces

Key Behavioral Indicators

• Unexpected rogue peer provisioning
• Root access privilege escalation events on SD-WAN controllers

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Update Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller to the latest fixed versions.
• Ensure management interfaces are strictly isolated and never exposed to the internet.
• Perform threat hunting for evidence of compromise using the provided Hunt Guide.

Infrastructure Hardening

• Ensure control components are placed behind a firewall.
• Isolate VPN 512 interfaces.
• Use IP blocks for manually provisioned edge IPs.
• Replace the self-signed certificate for the web user interface.
• Use pairwise keying for control and data plane security.
• Limit session timeouts to the shortest period possible.
• Forward all logging to a remote syslog server.

User Protection

• N/A

Security Awareness

• Review the Cisco Catalyst SD-WAN Hardening Guide in full to ensure comprehensive network perimeter and control plane security.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1098 - Account Manipulation
• T1068 - Exploitation for Privilege Escalation