{"id":10527,"date":"2025-10-16T13:27:09","date_gmt":"2025-10-16T06:27:09","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10527"},"modified":"2026-02-05T13:27:16","modified_gmt":"2026-02-05T06:27:16","slug":"operation-zero-disco-tu-lo-hong-snmp-den-rootkit-an-minh-tren-thiet-bi-cisco","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/16\/operation-zero-disco-tu-lo-hong-snmp-den-rootkit-an-minh-tren-thiet-bi-cisco\/","title":{"rendered":"Operation Zero Disco: T\u1eeb l\u1ed7 h\u1ed5ng SNMP \u0111\u1ebfn rootkit \u1ea9n m\u00ecnh tr\u00ean thi\u1ebft b\u1ecb Cisco"},"content":{"rendered":"

C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u c\u1ee7a Trend Micro v\u1eeba ph\u00e1t hi\u1ec7n m\u1ed9t chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng tinh vi mang t\u00ean Operation Zero Disco, l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng trong c\u01a1 ch\u1ebf Simple Network Management Protocol (SNMP) c\u1ee7a Cisco \u0111\u1ec3 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n thi\u1ebft b\u1ecb m\u1ea1ng v\u00e0 c\u00e0i \u0111\u1eb7t rootkit tr\u00ean n\u1ec1n t\u1ea3ng Linux. Chi\u1ebfn d\u1ecbch n\u00e0y ch\u1ee7 y\u1ebfu nh\u1eafm v\u00e0o c\u00e1c d\u00f2ng switch \u0111\u1eddi c\u0169, n\u01a1i k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 thi\u1ebft l\u1eadp c\u1eeda h\u1eadu v\u0129nh vi\u1ec5n v\u00e0 \u1ea9n m\u00ecnh s\u00e2u trong h\u1ea1 t\u1ea7ng m\u1ea1ng doanh nghi\u1ec7p.<\/b><\/p>\n

\n
\"Operation<\/div>\n<\/div>\n

C\u1ed1t l\u00f5i c\u1ee7a chi\u1ebfn d\u1ecbch n\u1eb1m \u1edf l\u1ed7 h\u1ed5ng CVE-2025-20352, \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn c\u1ea3 phi\u00ean b\u1ea3n 32-bit v\u00e0 64-bit c\u1ee7a ph\u1ea7n m\u1ec1m \u0111i\u1ec1u khi\u1ec3n Cisco. L\u1ed7 h\u1ed5ng cho ph\u00e9p th\u1ef1c thi m\u00e3 t\u1eeb xa (RCE) tr\u00ean thi\u1ebft b\u1ecb b\u1ecb \u1ea3nh h\u01b0\u1edfng, t\u1ea1o ra m\u1ed9t \u0111i\u1ec3m x\u00e2m nh\u1eadp m\u1ea1nh m\u1ebd cho c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng n\u1ed9i b\u1ed9. M\u1ee9c \u0111\u1ed9 nguy hi\u1ec3m t\u0103ng l\u00ean khi nhi\u1ec1u h\u1ec7 th\u1ed1ng v\u1eabn duy tr\u00ec c\u1ea5u h\u00ecnh SNMP m\u1eb7c \u0111\u1ecbnh v\u1edbi chu\u1ed7i c\u1ed9ng \u0111\u1ed3ng \u201cpublic\u201d, khi\u1ebfn vi\u1ec7c khai th\u00e1c tr\u1edf n\u00ean d\u1ec5 d\u00e0ng h\u01a1n bao gi\u1edd h\u1ebft.<\/p>\n

Theo d\u1eef li\u1ec7u t\u1eeb Trend Micro, c\u00e1c thi\u1ebft b\u1ecb Cisco d\u00f2ng 9400, 9300 v\u00e0 \u0111\u1eb7c bi\u1ec7t l\u00e0 3750G ch\u1ecbu \u1ea3nh h\u01b0\u1edfng n\u1eb7ng n\u1ec1 nh\u1ea5t. D\u00f2ng 3750G \u0111\u00e3 c\u0169 v\u00e0 kh\u00f4ng c\u00f2n \u0111\u01b0\u1ee3c h\u1ed7 tr\u1ee3, \u0111\u1ed3ng th\u1eddi thi\u1ebfu c\u00e1c c\u01a1 ch\u1ebf b\u1ea3o v\u1ec7 hi\u1ec7n \u0111\u1ea1i nh\u01b0 Address Space Layout Randomization (ASLR), khi\u1ebfn thi\u1ebft b\u1ecb d\u1ec5 tr\u1edf th\u00e0nh m\u1ee5c ti\u00eau t\u1ea5n c\u00f4ng. Ngay c\u1ea3 v\u1edbi nh\u1eefng m\u1eabu m\u1edbi c\u00f3 trang b\u1ecb ASLR, k\u1ebb t\u1ea5n c\u00f4ng v\u1eabn c\u00f3 th\u1ec3 khai th\u00e1c th\u00e0nh c\u00f4ng n\u1ebfu ki\u00ean tr\u00ec th\u1ef1c hi\u1ec7n l\u1eb7p \u0111i l\u1eb7p l\u1ea1i.<\/p>\n

Sau khi khai th\u00e1c th\u00e0nh c\u00f4ng, k\u1ebb t\u1ea5n c\u00f4ng tri\u1ec3n khai m\u1ed9t rootkit \u0111a t\u1ea7ng v\u1edbi kh\u1ea3 n\u0103ng duy tr\u00ec quy\u1ec1n ki\u1ec3m so\u00e1t l\u00e2u d\u00e0i. M\u1ed9t trong nh\u1eefng d\u1ea5u \u1ea5n th\u00fa v\u1ecb l\u00e0 vi\u1ec7c rootkit t\u1ea1o ra m\u1ed9t \u201cm\u1eadt kh\u1ea9u ph\u1ed5 qu\u00e1t\u201d ch\u1ee9a t\u1eeb \u201cdisco\u201d \u2013 \u0111\u01b0\u1ee3c cho l\u00e0 c\u00e1ch ch\u01a1i ch\u1eef c\u1ee7a \u201cCisco\u201d. M\u1eadt kh\u1ea9u n\u00e0y ho\u1ea1t \u0111\u1ed9ng tr\u00ean h\u1ea7u h\u1ebft c\u00e1c ph\u01b0\u01a1ng th\u1ee9c x\u00e1c th\u1ef1c nh\u01b0 AAA, \u0111\u0103ng nh\u1eadp c\u1ee5c b\u1ed9 hay enable mode, nh\u1edd v\u00e0o vi\u1ec7c hook tr\u1ef1c ti\u1ebfp v\u00e0o c\u00e1c h\u00e0m x\u00e1c th\u1ef1c trong b\u1ed9 nh\u1edb ti\u1ebfn tr\u00ecnh IOSd. M\u1eb7c d\u00f9 thay \u0111\u1ed5i n\u00e0y s\u1ebd bi\u1ebfn m\u1ea5t sau khi kh\u1edfi \u0111\u1ed9ng l\u1ea1i, nh\u01b0ng c\u00e1c th\u00e0nh ph\u1ea7n fileless v\u1eabn c\u00f3 th\u1ec3 duy tr\u00ec ho\u1ea1t \u0111\u1ed9ng b\u1eb1ng c\u00e1ch t\u00e1i ch\u00e8n m\u00e3 v\u00e0o b\u1ed9 nh\u1edb. \u0110\u1ed3ng th\u1eddi, c\u00e1c hook n\u00e0y c\u00f2n v\u00f4 hi\u1ec7u h\u00f3a h\u1ec7 th\u1ed1ng ghi log, che gi\u1ea5u m\u1ecdi thao t\u00e1c \u0111\u1ed9c h\u1ea1i kh\u1ecfi nh\u1eadt k\u00fd thi\u1ebft b\u1ecb.<\/p>\n

\n
\"1760600335947.png\"<\/div>\n

S\u1ef1 thay \u0111\u1ed5i trong b\u1ed9 nh\u1edb IOSd cho m\u1eadt kh\u1ea9u chung s\u1ebd bi\u1ebfn m\u1ea5t sau khi kh\u1edfi \u0111\u1ed9ng l\u1ea1i.
\n<\/i>\u200b<\/div>\n

Rootkit \u0111i k\u00e8m m\u1ed9t th\u00e0nh ph\u1ea7n \u0111i\u1ec1u khi\u1ec3n qua giao th\u1ee9c UDP, c\u00f3 th\u1ec3 ho\u1ea1t \u0111\u1ed9ng tr\u00ean b\u1ea5t k\u1ef3 c\u1ed5ng n\u00e0o m\u00e0 kh\u00f4ng c\u1ea7n m\u1edf port c\u00f4ng khai. Th\u00f4ng qua \u0111\u00f3, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 b\u1eadt\/t\u1eaft l\u1ecbch s\u1eed log, x\u00f3a to\u00e0n b\u1ed9 b\u1ea3n ghi, b\u1ecf qua c\u01a1 ch\u1ebf AAA v\u00e0 danh s\u00e1ch ki\u1ec3m so\u00e1t truy c\u1eadp VTY, th\u1eadm ch\u00ed che gi\u1ea5u c\u00e1c ph\u1ea7n c\u1ee7a c\u1ea5u h\u00ecnh \u0111ang ch\u1ea1y. B\u1eb1ng c\u00e1ch gi\u1ea3 m\u1ea1o \u0111\u1ecba ch\u1ec9 IP c\u1ee7a c\u00e1c m\u00e1y tr\u1ea1m qu\u1ea3n tr\u1ecb, ch\u00fang c\u00f3 th\u1ec3 v\u01b0\u1ee3t qua t\u01b0\u1eddng l\u1eeda n\u1ed9i b\u1ed9, \u0111\u1ed3ng th\u1eddi \u0111\u1eb7t l\u1ea1i d\u1ea5u th\u1eddi gian c\u1ee7a c\u00e1c thay \u0111\u1ed5i c\u1ea5u h\u00ecnh \u0111\u1ec3 khi\u1ebfn ch\u00fang tr\u00f4ng nh\u01b0 ch\u01b0a t\u1eebng x\u1ea3y ra.<\/p>\n

\n
\"1760600759515.png\"<\/div>\n

K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 truy c\u1eadp v\u00e0o c\u00e1c v\u00f9ng \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 kh\u00e1c b\u1eb1ng c\u00e1ch m\u1ea1o danh \u0111\u1ecba ch\u1ec9 IP c\u1ee7a tr\u1ea1m trung chuy\u1ec3n \u0111\u1ec3 v\u01b0\u1ee3t qua t\u01b0\u1eddng l\u1eeda n\u1ed9i b\u1ed9<\/i>.
\n\u200b<\/div>\n

Kh\u00f4ng d\u1eebng l\u1ea1i \u1edf vi\u1ec7c chi\u1ebfm quy\u1ec1n, chi\u1ebfn d\u1ecbch c\u00f2n cho th\u1ea5y tr\u00ecnh \u0111\u1ed9 x\u00e2m nh\u1eadp s\u00e2u v\u00e0o h\u1ea1 t\u1ea7ng m\u1ea1ng tr\u1ecdng y\u1ebfu. Khi \u0111\u00e3 ki\u1ec3m so\u00e1t c\u00e1c switch trung t\u00e2m, k\u1ebb t\u1ea5n c\u00f4ng th\u00eam c\u00e1c quy t\u1eafc \u0111\u1ecbnh tuy\u1ebfn \u0111\u1ec3 n\u1ed1i c\u00e1c VLAN b\u1ecb ph\u00e2n t\u00e1ch, qua \u0111\u00f3 m\u1edf \u0111\u01b0\u1eddng di chuy\u1ec3n ngang trong h\u1ec7 th\u1ed1ng. Ch\u00fang c\u00e0i \u0111\u1eb7t c\u00e1c c\u00f4ng c\u1ee5 ARP spoofing ch\u1ea1y trong m\u00f4i tr\u01b0\u1eddng guest shell c\u1ee7a Cisco nh\u1eb1m chuy\u1ec3n h\u01b0\u1edbng l\u01b0u l\u01b0\u1ee3ng, t\u1ea1o xung \u0111\u1ed9t IP ho\u1eb7c \u0111\u00e1nh s\u1eadp thi\u1ebft b\u1ecb h\u1ee3p ph\u00e1p \u0111\u1ec3 chi\u1ebfm v\u1ecb tr\u00ed m\u1ea1ng. Trong qu\u00e1 tr\u00ecnh \u0111i\u1ec1u tra, Trend Micro c\u00f2n ph\u00e1t hi\u1ec7n c\u00e1c t\u00e0i kho\u1ea3n \u1ea9n c\u00f3 t\u00ean d\u1ea1ng \u201cdg3y8dpk\u201d \u0111\u1ebfn \u201cdg7y8hpk\u201d, c\u00f9ng c\u00e1c script EEM gi\u1ea3 m\u1ea1o nh\u01b0 \u201cCiscoEMX-1\u201d \u0111\u1ebfn \u201cCiscoEMX-5\u201d v\u00e0 ACL b\u1ecb che gi\u1ea5u d\u01b0\u1edbi t\u00ean \u201cEnaQWklg0\u201d \u0111\u1ebfn \u201cEnaQWklg2\u201d.<\/p>\n

\n
\"1760600846914.png\"<\/div>\n

S\u01a1 \u0111\u1ed3 m\u1ea1ng m\u00f4 ph\u1ecfng trong \u0111\u00f3 m\u1ed7i v\u00f9ng \u0111\u01b0\u1ee3c ph\u00e2n t\u00e1ch b\u1eb1ng m\u1ed9t b\u1ed9 chuy\u1ec3n m\u1ea1ch l\u00f5i v\u00e0 m\u1ed9t VLAN kh\u00e1c nhau
\n<\/i>\u200b<\/div>\n

\u0110\u00e1ng ch\u00fa \u00fd, chi\u1ebfn d\u1ecbch n\u00e0y c\u00f2n th\u1eed nghi\u1ec7m t\u1eadn d\u1ee5ng l\u1ea1i l\u1ed7 h\u1ed5ng Telnet CVE-2017-3881, m\u1ed9t l\u1ed7i t\u1eebng g\u00e2y RCE nghi\u00eam tr\u1ecdng nh\u01b0ng \u0111\u00e3 \u0111\u01b0\u1ee3c s\u1eeda \u0111\u1ed5i \u0111\u1ec3 m\u1edf r\u1ed9ng kh\u1ea3 n\u0103ng \u0111\u1ecdc v\u00e0 ghi b\u1ed9 nh\u1edb t\u00f9y \u00fd. M\u1ee5c ti\u00eau d\u01b0\u1eddng nh\u01b0 nh\u1eb1m t\u1ea1o ra c\u00e1c c\u00f4ng c\u1ee5 t\u1ea5n c\u00f4ng k\u1ebft h\u1ee3p, t\u0103ng kh\u1ea3 n\u0103ng leo thang v\u00e0 chi\u1ebfm quy\u1ec1n ho\u00e0n to\u00e0n tr\u00ean h\u1ea1 t\u1ea7ng Cisco. D\u00f9 ch\u01b0a r\u00f5 m\u1ee9c \u0111\u1ed9 ho\u1ea1t \u0111\u1ed9ng \u0111\u1ea7y \u0111\u1ee7 c\u1ee7a phi\u00ean b\u1ea3n s\u1eeda \u0111\u1ed5i n\u00e0y, s\u1ef1 k\u1ebft h\u1ee3p gi\u1eefa nhi\u1ec1u l\u1ed7 h\u1ed5ng v\u00e0 k\u1ef9 thu\u1eadt \u1ea9n m\u00ecnh \u0111\u00e3 bi\u1ebfn Operation Zero Disco tr\u1edf th\u00e0nh m\u1ed9t chi\u1ebfn d\u1ecbch c\u1ef1c k\u1ef3 nguy hi\u1ec3m.<\/p>\n

\n
\"1760600930282.png\"<\/div>\n

Trong m\u00f4 ph\u1ecfng, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 v\u01b0\u1ee3t qua t\u01b0\u1eddng l\u1eeda b\u00ean ngo\u00e0i b\u1eb1ng m\u1eadt kh\u1ea9u \u0111\u00e3 l\u1ea5y \u0111\u01b0\u1ee3c \u0111\u1ec3 truy c\u1eadp v\u00e0o c\u00e1c thi\u1ebft b\u1ecb kh\u00e1c nhau tr\u00ean m\u1ea1ng.<\/i>
\n\u200b<\/div>\n

V\u1ec1 ph\u00eda ph\u00f2ng th\u1ee7, Trend Micro \u0111\u00e3 ph\u00e1t h\u00e0nh c\u00e1c quy t\u1eafc ph\u00e1t hi\u1ec7n chuy\u00ean d\u1ee5ng: rule 46396 \u0111\u1ec3 ph\u00e1t hi\u1ec7n h\u00e0nh vi khai th\u00e1c SNMP v\u00e0 rules 5497, 5488 \u0111\u1ec3 nh\u1eadn di\u1ec7n l\u01b0u l\u01b0\u1ee3ng UDP \u0111i\u1ec1u khi\u1ec3n c\u1ee7a rootkit. Tuy nhi\u00ean, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u c\u1ea3nh b\u00e1o hi\u1ec7n ch\u01b0a c\u00f3 c\u00f4ng c\u1ee5 t\u1ef1 \u0111\u1ed9ng n\u00e0o c\u00f3 th\u1ec3 x\u00e1c \u0111\u1ecbnh ch\u1eafc ch\u1eafn thi\u1ebft b\u1ecb Cisco \u0111\u00e3 b\u1ecb x\u00e2m nh\u1eadp hay ch\u01b0a. Khi nghi ng\u1edd, vi\u1ec7c \u0111i\u1ec1u tra th\u1ee7 c\u00f4ng k\u1ebft h\u1ee3p v\u1edbi Cisco Technical Assistance Center l\u00e0 c\u1ea7n thi\u1ebft \u0111\u1ec3 ki\u1ec3m tra v\u00f9ng nh\u1edb, \u0111\u1ed1i chi\u1ebfu c\u1ea5u h\u00ecnh v\u00e0 ph\u00e2n t\u00edch s\u00e2u c\u00e1c ch\u1ec9 s\u1ed1 x\u00e2m nh\u1eadp.<\/p>\n

Chi\u1ebfn d\u1ecbch Operation Zero Disco l\u00e0 l\u1eddi nh\u1eafc m\u1ea1nh m\u1ebd r\u1eb1ng vi\u1ec7c duy tr\u00ec thi\u1ebft b\u1ecb m\u1ea1ng c\u0169 ho\u1eb7c c\u1ea5u h\u00ecnh m\u1eb7c \u0111\u1ecbnh ch\u00ednh l\u00e0 r\u1ee7i ro b\u1ea3o m\u1eadt ti\u1ec1m \u1ea9n. C\u00e1c t\u1ed5 ch\u1ee9c c\u1ea7n n\u00e2ng c\u1ea5p l\u00ean SNMPv3, thay \u0111\u1ed5i chu\u1ed7i c\u1ed9ng \u0111\u1ed3ng m\u1eb7c \u0111\u1ecbnh v\u00e0 t\u0103ng c\u01b0\u1eddng gi\u00e1m s\u00e1t l\u01b0u l\u01b0\u1ee3ng \u0111\u1ec3 ph\u00e1t hi\u1ec7n d\u1ea5u hi\u1ec7u \u0111i\u1ec1u khi\u1ec3n b\u1ea5t th\u01b0\u1eddng. Vi\u1ec7c ki\u1ec3m tra \u0111\u1ecbnh k\u1ef3 c\u1ea5u h\u00ecnh, ph\u00e1t hi\u1ec7n script ho\u1eb7c t\u00e0i kho\u1ea3n l\u1ea1 c\u0169ng l\u00e0 b\u01b0\u1edbc quan tr\u1ecdng \u0111\u1ec3 ng\u0103n rootkit \u00e2m th\u1ea7m b\u00e1m tr\u1ee5 trong h\u1ec7 th\u1ed1ng.<\/p>\n

T\u1ed5ng h\u1ee3p<\/i><\/b>\u200b<\/div>\n
Theo: https:\/\/whitehat.vn\/threads\/operation-zero-disco-tu-lo-hong-snmp-den-rootkit-an-minh-tren-thiet-bi-cisco.18841\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"

C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u c\u1ee7a Trend Micro v\u1eeba ph\u00e1t hi\u1ec7n m\u1ed9t chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng tinh vi mang t\u00ean Operation Zero Disco, l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng trong c\u01a1 ch\u1ebf Simple Network Management Protocol (SNMP) c\u1ee7a Cisco \u0111\u1ec3 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n thi\u1ebft b\u1ecb m\u1ea1ng v\u00e0 c\u00e0i \u0111\u1eb7t rootkit tr\u00ean n\u1ec1n t\u1ea3ng Linux. Chi\u1ebfn […]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10527","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10527"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10527\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}