Background: The Distinctive Panorama of the Black Hat NOC
Working the Black Hat Safety and Community Operations Middle (NOC) presents a singular set of challenges and expectations. In contrast to a typical company atmosphere the place any hacking exercise is instantly deemed malicious, the Black Hat convention is a nexus for cybersecurity analysis, coaching, and moral hacking. Consequently, we anticipate and even anticipate a big quantity of exercise that, in different contexts, can be thought-about extremely suspicious or outright hostile. This contains numerous types of scanning, exploitation makes an attempt, and different adversarial simulations, typically performed as a part of official trainings or impartial analysis.
Including to this complexity is the Convey Your Personal Gadget (BYOD) nature of the convention community. Attendees join a wide selection of non-public units, making conventional endpoint telemetry (like EDR options) a big problem for complete monitoring. As such, our main focus was on sturdy network-based telemetry for detection and risk looking.
Investigation Workflow: A Multi-Device Method to Fast Response
Part 1: Assault Triage With Cisco XDR
The Cisco XDR analytics incident offered the preliminary alert and connection flows, giving us quick visibility into this tried intrusion exercise from an exterior malicious supply to our convention registration server and mapping it to MITRE ATT&CK.
The XDR incident indicated that there was an entry try of the registration server similar to an intrusion regarding “SAP NetWeaver Visible Composer metauploader entry try”. The exercise was mapped to MITRE ATT&CK methods, TA0001: Preliminary entry, T1189: Drive-by Compromise and T1190: Exploit of Public-Going through Utility.
Cyber Menace Intelligence
Wanting deeper into the alert from Cisco Firepower Administration Middle (FMC) in XDR, we will see that the tried intrusion was an entry occasion over port 443. The alert is assessed as excessive precedence. The exterior supply IP was categorized with a malicious disposition by Cisco XDR World Menace Intelligence and suspicious by Cisco Talos.
Part 2: Site visitors and Alert Evaluation With Cisco Firepower Administration Console (FMC)
We utilized Cisco FMC to dive deeper into the related alert and packet info from the visitors.
The next particulars have been significantly notable:
- The intrusion alert was categorized as excessive precedence and categorized as Tried Administrator Privilege Achieve.
- The visitors was TCP and HTTPS to port 443.
- The request sort was an GET request to URI path /developmentserver/metauploader
- The consumer agent contains zgrab/0.x
Researching extra about this consumer agent, ZGrab, indicated it’s used for scanning and penetration testing. ZGrab is a part of the broader ZMAP suite of instruments. This offered additional validation that this was a malicious intrusion try in opposition to our registration server.
Part 3: Vulnerability Evaluation
We did additional analysis into the alert from FMC and located that it correlated with vulnerability CVE-2025-31324.
This vulnerability is thought to be exploited within the wild, as confirmed by CISA and is assessed as Crucial with a CVSS rating of 9.8 by the Nationwide Vulnerability Database (NVD). It’s also notable that the vulnerability was revealed very lately on April 4th, 2025.
Potential exploitation of the vulnerability permits an unauthenticated agent to add arbitrary malicious code to the goal system.
Part 4: Threat Evaluation and Mitigation
As a last step we reached out to the Black Hat engineering crew to inquire if the registration server was susceptible to CVE-2025-31324.
Particularly, we inquired:
- Does the registration server leverage SAP NetWeaver?
- Does the next useful resource path exist on the endpoint?
We confirmed that each of those standards weren’t met, and therefore the Black Hat registration server was not susceptible to CVE-2025-31324.
Decision
The investigation for this Cisco XDR incident was closed, because the registration server was not discovered to be susceptible to the tried exploitation. For the reason that registration web site is a vital asset and is public dealing with, we anticipate to see scanning exercise and malicious entry makes an attempt in opposition to it. We continued to stay vigilant for the rest of the convention.
Key Takeaways
- Fast, Multi-Device Investigation Enhances Response
Utilizing Cisco XDR and Cisco FMC enabled swift detection, detailed evaluation, and actionable insights making certain a well-coordinated and efficient response to suspicious exercise. - Asset Consciousness and Stakeholder Engagement Are Crucial
Understanding your atmosphere and confirming technical particulars with engineering groups prevents false alarms and pointless remediation. Partaking stakeholders early ensures correct threat evaluation and environment friendly decision. - Steady Vigilance for Crucial Public Property
Even after ruling out quick threats or vulnerabilities, ongoing monitoring and investigation are important to safeguard public-facing, high-value techniques in opposition to persistent scanning and exploitation makes an attempt.
About Black Hat
Black Hat is the cybersecurity trade’s most established and in-depth safety occasion collection. Based in 1997, these annual, multi-day occasions present attendees with the newest in cybersecurity analysis, growth, and tendencies. Pushed by the wants of the group, Black Hat occasions showcase content material instantly from the group via Briefings shows, Trainings programs, Summits, and extra. Because the occasion collection the place all profession ranges and tutorial disciplines convene to collaborate, community, and talk about the cybersecurity subjects that matter most to them, attendees can discover Black Hat occasions in the US, Canada, Europe, Center East and Africa, and Asia. For extra info, please go to the Black Hat web site.
We’d love to listen to what you assume! Ask a query and keep linked with Cisco Safety on social media.
Cisco Safety Social Media
Share: