![2 Million Cisco Devices Targeted by Exploited 0-Day – 2025-09-29 - Talkin' Bout [Infosec] News cover](/_next/image?url=https%3A%2F%2Fassets.blubrry.com%2Fcoverart%2Forig%2F577207-646458.jpg&w=1200&q=75)
Podcast Summary – Talkin’ About [Infosec] News, Powered by Black Hills Information Security
Episode: 2 Million Cisco Devices Targeted by Exploited 0-Day
Date: October 2, 2025
Episode Overview
This episode dives into the latest Emergency Directive from CISA targeting a massive Cisco zero-day, key trends in network device exploitation, insider threats, the (futility of) phishing awareness, some AI security hilarity, and hands-on incident detection training. True to form, the Black Hills crew blend technical insight with their signature irreverent humor.
Key Discussion Points & Insights
1. CISA Emergency Directive: Cisco 0-Day Madness & End-of-Life Devices
-
[03:06–17:58]
- A new zero-day (RCE + authentication bypass) in Cisco’s web interface spawns an emergency CISA directive. Most affected devices are at or just reaching end of life.
- Sophisticated malware (dubbed “Line Dancer”) is targeting these devices, with likely nation-state actors implicated.
- This follows a growing pattern: attackers shift from endpoints (now well-defended) to poorly monitored networking equipment.
- The vulnerability is exacerbated by a vast population of end-of-life Cisco products (hundreds of thousands exposed per Shodan), many owned by people unaware or unable to patch.
Notable Quote:
"The future is here. It's just not evenly distributed. You have a lot of organizations implementing amazing security posture ... and a good percentage running stuff that's horribly out of date."
— Josh Sokol, [05:29]"Why pwn an endpoint when you can pwn the network that all the endpoints are flowing through?"
— Dale Peterson, [07:06]- Attackers are using these devices for both espionage/data gathering and as stealthy launchpads for further attacks.
- The panel notes that many organizations:
- Don’t even know what network devices they have or who owns them (“it’s leased from the ISP!”)
- Leave management interfaces or VPNs exposed to the internet
- Rarely monitor logs/audit trails on these systems
On the Scope:
"Out of the 2.69 million [Cisco] that are out there, there are 36,000... with port 443 open and there are 37,318 that have port 80 open. For some reason there’s a whole bunch of port 8888, 8443, 4444..."
— Josh Sokol, [16:52]- The crew strongly advises ditching EOL devices and patching, while mocking the reality that many orgs will do neither.
2. Why Network Devices are the New Target
- EDR & endpoint security products have gotten so effective that attackers instead hit routers, firewalls, and other boxes running outdated firmware and no advanced defense mechanisms.
- Real-world examples: multiple recent advanced backdoors for network gear, “BrickStorm” malware (Google Mandiant).
- Substantial obstacles to fix:
- Shared responsibility issues ("Not our router, it's our ISP’s!")
- Decommissioning complexity—don’t know where the last device is or if it's connected at all.
3. The Perils of Bad Network Design & Training
- [12:45–15:18]
- Many vulnerabilities reside in management planes that “should never” be exposed, yet “people are just throwing stuff out there.”
- Free training and operational shortcuts perpetuate mistakes—junior admins follow YouTube videos recommending exposing management interfaces to the internet.
- Operational needs override good architecture—"I need access now, just plug it in!"
- It’s common to have mysterious “out-of-band” access hidden in plant floors that security teams didn’t know existed.
4. General State-of-Security Riffing: Complacency, Patch Apathy, and Vendor Strategy
- [09:45–18:26]
- Even in high-value targets, basic hygiene (patching, inventory, network segmentation) is ignored because "it just works."
- Organization size and inertia are huge obstacles.
- “Zero trust” and minimal-exposure architectures are better, but take rare discipline to implement.
5. Brief: Neon App Debacle – Monetizing Privacy & Predictable Breaches
-
[19:28–23:24]
- “Neon,” a viral app, pays users to record their phone calls and sell the audio data, only to instantly have its user data leaked.
- Panel jokes about who would opt into such obvious privacy violation: “Impulsive coupon clippers,” “people who just need someone to yell at.”
- John Strand guesses the breach technicals without even checking: “hard coded S3 keys ... same key for every user ... we’ve seen it all before.”
Quote:
“My favorite thing about this article is that now we have the answer to what our privacy is worth. $30 a day.”
— Greg, [19:28] -
Larger point: The app store and ecosystem are structurally incapable of weeding out these types of privacy-trade-off scams.
6. AI Darwin Awards – Making Fun of Bad AI Decisions
-
[24:17–28:03]
- Panel highlights the “AI Darwin Awards” (satirizing user fails involving AI—e.g., lawyers submitting fake ChatGPT citations).
- Discussion: AI accelerates tasks but also amplifies stupidity.
Quote:
“There's this human capability amplifier effect ... but the human stupidity amplification ... that can occur as well.”
— Joff Thyer, [28:03]- Panel argues that laughing at dumb AI use cases is important—because it helps improve society's resilience and even the tech itself.
7. Image Authenticity (C2PA) and Broken Supply Chain
- [29:29–34:14]
- Nikon’s implementation of C2PA certificates (supposed to prove photo authenticity/source) was broken—signing keys leaked in firmware.
- There are limits to what “authentic” metadata can actually claim; chain-of-custody for digital images remains imperfect.
8. Insider Threats: Ransomware Gangs Turn to Bribery
-
[34:10–37:59]
- Ransomware groups have begun directly offering employees 15% of the ransom payout for internal access.
- Discussion covers both the practicality and the rising risk (ransom amounts in the millions, huge orgs with massive attack surfaces).
- Strong convergence with assumed compromise: design security as if one employee might betray you.
Quote:
"We can get anyone to click a link, you know?"
— Josh Sokol, [43:07]
9. Phishing Training Doesn’t Stop Phishing
-
[38:29–45:11]
- New research (and years of experience) suggest user awareness training and phishing tests have real limits—click rates go down but never reach zero.
- Focus should shift from click metrics to detection: how well can the organization detect and contain the post-click attack?
- Largest orgs are at greatest risk because of size and complexity.
Quote:
“Click rate is nothing. Click rate is the barest thin end of the wedge when it comes to how good your security posture is.”
— John Strand, [45:11]- Broader point: Instead of user blame, move toward robust network/log monitoring, attack surface management, and assume compromise.
10. CTF Walkthrough: Detecting Lateral Movement via Event Logs
-
[46:36–55:57]
- John Strand walks through a mini-lab for hands-on detection:
- Password spraying leads to hundreds of login failures in event logs.
- Repeated remote registry service activations indicate enumeration activity.
- Regular employee-to-admin pathway is highlighted as a detection necessity.
- The value (or lack thereof) in different logs (Sysmon, Windows event) is discussed.
Quote:
“Learning what the tools look like in your environment allows you to capture the appropriate logs to detect these things.”
— John Strand, [53:34]- Winners of the webcast CTF are announced; listeners encouraged to participate and join the Discord for more labs.
- John Strand walks through a mini-lab for hands-on detection:
11. SIM Swapping/Spam Infrastructure Bust
-
[55:57–59:23]
- Panel discusses law enforcement photos of SIM card racks described as a major cell carrier “takedown.”
- Skepticism about it being nation-state; looks more like commoditized spam gear for SMS fraud.
- Admiration for whoever did the cable management.
Quote:
"That air conditioner ... did something bad in a previous life. Now it’s in hell."
— Josh Sokol, [58:59]
12. Show Closing, Community Notes
- [59:42–61:11]
- Reminders about upcoming live episodes and events.
- Classic BHIS comedic banter—bananas, radiation, chickens, and advice to say hi at conferences.
Notable Quotes & Memorable Moments
-
On targeting old network gear:
"Ditch your ASAs, people ... If you have to go centralized VPN, maybe just get one that isn’t end of life."
— John Strand [17:34] -
On operational reality:
"A lot of these vulnerabilities are in the control plane ... you should never expose to production. So people are just not architecting things correctly, they're just throwing stuff out there."
— Joff Thyer [12:45] -
On new threat realities:
"They’re not subscribing to CISO Alerts. They don’t listen to this podcast. They just keep doing their business."
— Josh Sokol [10:42] -
On the Neon privacy-for-cash app:
"Who is opting into this? The people making phone calls don’t even know what AI is ..."
— John Strand [19:48] -
On the utility of security training metrics:
"As long as the number’s above zero percent you still got fished and it doesn’t really matter."
— John Strand [38:30]
Timestamps for Important Segments
- Cisco CISA Directive and Zero-Day Discussion:
[03:06–17:58] - Network Device Attack Trends:
[06:30–10:13] - Operational Gaps and Network Management Realities:
[12:45–15:18] - Neon App Privacy Breach and Satire:
[19:28–23:24] - AI Darwin Awards & Security Angle:
[24:17–28:03] - Image Authenticity and C2PA Certificates:
[29:29–34:14] - Insider Threats & Ransomware Bribery:
[34:10–37:59] - User Awareness (Phishing) Training Critique:
[38:29–45:11] - Hands-On Detection, CTF Walkthrough:
[46:36–55:57] - SIM Swapping Hardware Takedown:
[55:57–59:23] - Closing Announcements & Banter:
[59:42–61:11]
Conclusion
This episode is a treasure trove of practical infosec lessons, war stories, technical walkthroughs, and gallows humor about the “state of the state.” The team cuts through hype and offers real-world advice, especially around network security, the limits of user education, detection-first thinking, and resilience planning for assumed compromise. If you want security insights that mix technical depth, honesty, and hilarity, BHIS continues to deliver.