the most advanced hack i've ever seen

You want to hack one computer, baby? Today we're hacking the whole network. Today we're talking about SDWAN vulnerabilities in SDWAN, a firmware downgrade attack that was used to hack a CVE from 2022 and how a threat actor used this to get into every branch of a particular company. It's pretty crazy, guys. The story here is from Cisco Talos and it has to do with UAT 8616. If you don't know what that is, that is also another word for salt typhoon, which I think Microsoft also has a separate name for. In either case, it is uh Salt Typhoon, a Chinese threat actor that has been caught using zero days in the wild to hack into companies all over the world, all over the US, uh particularly water companies, power companies, more of like your OT operational technology. To start this story, we have to go into kind of what SDWAN is and what it's for. Now, for a long time, right, there's this problem when it comes to the management of IT networks where if you are a company with various different branches and different locations, you have to connect them all together. Now, for a long time, there were really, really old solutions like just private T1, T0 lease lines. And then eventually we upgraded to MLS, right? Multi-protocol label switching that allowed branch A and branch B to talk over some kind of private network and it would switch based off what protocol was being talked about. Also, by the way, I'm not like an IT network admin, so I'm going to very highly oversimplify this if that bothers you. Sorry. As a solution to MLS which depended on private networks because it was not encrypted by default, we upgraded to this thing called SDWAN. SDWAN is softwaredefined wide area networks and it allows companies to have branch A and branch B talk over any transport protocol and defined based on the protocol how and where it routes to. It's a very kind of flexible way of having branch A and branch B talk. Now the vulnerability in question today is bad gateway. The vulnerability today in question is uh a vulnerability in the way that a SDWAN controller peers to other networks. Now what does peering mean? Consider for example you are running one of these networks right and you have a new branch that wants to come online. Well, that new branch has to authenticate to the larger network that it is allowed to be there, right? How do you do that? You have either some kind of private key, public key, key exchange to sign a packet to say, "Hi, I am part of the company. I signed this with the company's private key." Or maybe you have a symmetric key that both you and the company have pre-shared. And use that to send some kind of symmetric exchange. You can use all of these cryptographic mechanisms to prove that yes, you are a member of the team. But what happens if there is a vulnerability in the way that this peering system works? Now the details of how this is broken are not known publicly. There is no pock for this yet. But Cisco Talos observed UAT8616 exploiting a vulnerability in the SDWAN peering system which allowed them to create effectively a fake branch of a company network and just appear on this map as another node in the system. Now what does that mean? That means that they're able to advertise IP addresses, routes, are able to emit data into the network. They are able to join the management control plane at a lower privilege level. We'll go into why that matters here in a second. And ultimately just join the network. They did this by exploiting the public-f facing port on these management systems and taking advantage of a vulnerability and how the peering works. Now, what's interesting here is that they land in the network. They can do things, but they're not necessarily privileged yet. They're not necessarily root. They can interact with the network. They can exploit other vulnerabilities, but they aren't really done yet. What's really interesting here is they did what is commonly referred to as a firmware downgrade attack, right? So code as it gets older in theory gets more secure, right? We find vulnerabilities in software. We use the findings of vulnerabilities to kind of crumb up with tradecraftraft to make the software more and more secure. That implies that software from the past has more vulnerabilities. This is true because we have a vulnerability 2022 20755 which is a vulnerability in the CLI of the Cisco SDWAN software that is only accessible by an authenticated local user and it allows them to escalate to root. Now remember the thread actor in this case has created a fake branch and they now can touch the management plane of this network with a low user and so they then exploit this vulnerability after downgrading. This is why people typically complain like why don't routers let you go to an older version of the firmware. Well, because literally if someone lands on your router and they want to do like escalation stuff. It is typically used as for thread actors to downgrade your software to give them access to the old suite of all the the old way of the vulnerabilities. And guys, real quick, while we can't stop bugs like this from happening, one thing we can do is stay ahead of cyber actors with today's sponsor, Flare. Flare is a threat exposure management platform that allows you to see if you or your company's data has been compromised by cyber crime. Flare has unmatched visibility into where cyber actors operate because they have access to 22,000 Telegram channels, over a 100 million stealer logs, and get this, 25 billion leaked credentials. With their new credentials browser, I I can't believe I can do this. I could just search for the domain of an email and see credentials. I have to blur out all of this, but the fact that this exists is crazy. Well, you're able to see if your company's credentials have been compromised on the dark web and you can see like exactly what password was found. It's absolutely bonkers. And obviously Flair's bread and butter. You put in your identifiers into the Flare system and if they find events on the dark web and these elicit channels, they will send you an email to go remediate that damage. You guys know the drill. The best way to help the channel out, guys, is to go interact with the sponsor. Go give Flare a shot for free at the link below. Flare, thanks for sponsoring the video. Back to the video. So, this takes advantage of what is known as a a path traversal. And yes, if you are in the world of VR, you will you will notice that we are still experiencing path traversals and SQL injections and command injections in the Lord's year 2026. Uh but that is just the nature of the game right now, ladies and gentlemen. That is where we're at. So what what is a path traversal? Let me show you. Remind me later. So uh consider for example that we have a tool or utility maybe consider engine X and all we're doing is taking a user supplied path and we are serving a file based on that path. Right? Very easy. So, we're going to call we're going to read the file lol. My computer froze. Okay. Well, that file doesn't exist. And that's fine. I didn't make that file. I'm not going to open that file. I don't care about that file. Now, what if we're not going to sanitize the path of the file that is shown and I'm going to walk back up the directory tree because oh, by the way, the root of this file, this varw uploads, we're going to walk up the path here and we're going to open Etsy password, which is generally considered a sensitive file on a computer. And bada bing, bada boom, there is Etsy password. Now, I want to highlight Etsy password is not that scary. It just highlights username, user ID, group ID, and then your shell and your your root directory. Uh, but that being said, if you can access this when you shouldn't, probably not a not a great place to be, right? So, the vulnerability that they then downgraded to and exploited to get to root is a vulnerability in the way that the uh the Vshell CLI works. So something something something when you log into the system you are given a config file and the way the config file is generated is it uses this path here and then it uses your username. Well what if we made our username dotemp fu external which they were able to do and prove they could read arbitrary files off the system off the vsenter system that is unauthenticated or it's authenticated right now but with a a low privilege user. What they were able to do is read the confd IPC secret, IPC being interprocess communication, and they could use this to sign IPC requests that then said, "Oh, by the way, can we do this as UID0 GI0, which is root, right? So you'll see here, this is a script the finders of this vulnerability wrote up. They said, "Hey, can we run Python tempex exploit.py123, right? And we're going to use this to leak out the conf uh IPC secret." And then we're going to use that to run vshell as root, right? Very really crazy stuff. So the the summary here, right? SDWAN vulnerability authenticate in join as a branch into the data center and then downgrade the vsenters that you're able to now touch to a vulnerable version to then upgrade or to escalate your privileges to root. Right? The fact that you can downgrade without being root, I'm not really sure like how that works, but absolutely insane vulnerability. So guys, if you are in the situation where maybe you manage one of these networks, all you have to do, all you got to do is is upgrade your firmware. Um, also, if you're looking in your logs, right, you may want to look for uh patterns like this. This is all from Cisco Talis, by the way. Um, you know, if you see a a control connection state where there's a new peer trying to join, and that peer comes from an IP address that's public that you you really don't recognize, it's probably no bueno that they are there. Maybe you go and deal with that. Um, and then also if you're looking for like evidence of privilege escalation, you want to look for uh attempts to authenticate with crafted usernames that contain traversal strings uh because that is how they get into the the user ID zero on the on the system. And then obviously you're checking for all the known compromised stuff like weird known hosts, you're looking for weird keys, you're looking for weird SSHD configs, all that traditional stuff. Now the question I know you are all waiting for me to answer. Would Rust have fixed this? Would R would rust have made this a little bit better? No. I don't know. Maybe the the problem is no one knows why this vulnerability exists. No one knows the nature of the SVWAN compromise. So like if it is a either cryptographic misimplementation where they either have a hard-coded private key or like they like didn't sign something properly or there's like a hash extension attack, Russ would not have solved that, right? Or there's like a logic error in the state machine for the system. Russ would not have fixed that, right? That is an implementation error. Now, if this is a vulnerability in the way that the parsing and the execution of the peering system goes, then you are able to use memory corruption to potentially trick the state machine into thinking that it's already authenticated. Maybe we have a solution that Russ could solve, right? Maybe Russ could do this. The problem is typically in these larger kind of carrier grade routers, um, they are written in real time systems. They don't use kind of like your userland kernel modes segmentation. they all kind of run at the same level in this very high-speed code. Uh, and so doing real time rust is very difficult. There's actually a um are we arttos yet I think is this site which is literally just a site that shows you all of the real-time solutions for rust. And there are a few good ones like embassy is one that I recommend that I've been playing with a little bit on in my free time. And then Arctic as well, but obviously this is not a not a solved problem. So, that being said, guys, if you like this video, if you if you like if you like it, do me a favor. Hit that hit that sub button and then go check out this other video that I think you will enjoy just as much. Go show Cisco Tallos some love and then also check out the sponsor. Help the channel out. We'll see you in the next one. Take care, guys. Play.

Go try Flare for FREE at https://go.lowlevel.tv/flare2026 and see if your company's data is out there. https://blog.talosintelligence.com/uat-8616-sd-wan/ https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk 🏫 MY COURSES Sign-up for my FREE 3-Day C Course: https://lowlevel.academy 🧙‍♂️ HACK YOUR CAREER Wanna learn to hack? Join my new CTF platform: https://stacksmash.io ⌨️ KEYBOARD Like what you hear? Grab a Q5 at https://go.lowlevel.tv/keyboard 🔥COME HANG OUT Check out my other stuff: https://lowlevel.tv