CISO Alert: Network Evasion Tactics, Source Code Theft, and Critical Patches

1. Operation ZeroDisco: The Rootkit Under Your Router

Network devices are under renewed attack, with Trend Micro reporting a new campaign targeting older, vulnerable Cisco devices (including the 9400, 9300, and legacy 3750G series). This operation, dubbed ZeroDisco, exploits a recent Cisco zero-day, CVE-2025-20352 (CVSS 7.7), which is a stack overflow issue in the Simple Network Management Protocol (SNMP) of IOS and IOS XE devices.

Key Threat Vectors for CISOs

• Deep Evasion: Threat actors deploy a rootkit designed to be highly evasive. This rootkit monitors UDP packets sent to any port, even closed ones.
• Persistent Access: The malware modifies the IOSd memory to install a universal password containing the word ‘disco’.
• Operational Concealment: The rootkit hides running-config items in memory, bypasses ACLs applied to VTY virtual interfaces, disables log history, and resets running-config write timestamps to conceal changes.
• Remediation Difficulty: Currently, there is no universal automated tool to reliably detect compromise by Operation ZeroDisco. CISOs who suspect an affected switch should contact Cisco TAC immediately for assistance with a low-level investigation of firmware/ROM/boot regions.

2. Nation-State Actors Target F5 for Source Code Theft

The risk of intellectual property and vulnerability intelligence theft by state-sponsored groups remains paramount. F5 recently disclosed that state-sponsored threat actors maintained persistent access to their systems, specifically those related to the development of the BIG-IP platform.

The Strategic Impact

• Source Code Exfiltration: Attackers successfully stole BIG-IP source code and information regarding undisclosed vulnerabilities.
• Attribution: Although F5 shared few details, the attack profile strongly points to China as the likely threat actor. Chinese cyberspies are known for targeting software companies to analyze source code and discover zero-day vulnerabilities.
• Supply Chain Confidence: F5 reported they found no evidence of modification to their software supply chain, including the source code, or compromise of their NGINX environment. However, the successful theft of proprietary code heightens risk for all dependent customers.

This incident reinforces the need for CISOs to scrutinize vendor security practices and understand that their infrastructure partners are themselves targets of sophisticated espionage.

3. Urgent Patching Mandates: Critical Vulnerabilities (CVSS 10.0 and 9.9)

Two recent high-severity vulnerabilities require immediate attention, demonstrating active exploitation and severe risk potential: