Fast Facts

• Attackers exploited CVE-2025-20352, a critical Cisco SNMP vulnerability, to install Linux rootkits on older networking devices.
• The campaign, named 'Operation Zero Disco,' targets Cisco 9400, 9300, and legacy 3750G series switches lacking modern protections.
• Rootkits set a universal password with "disco" in it, hijack device memory, and evade detection by disabling logging and masking changes.
• Trend Micro researchers uncovered the attacks and warn that even newer devices, while more resistant, are not immune with repeated attempts.
• No reliable tool currently exists to detect these compromises; deep firmware analysis is required if an attack is suspected.

A New Groove in Network Intrusion

Imagine a night club’s back entrance left slightly ajar - inviting, if you know where to look. In the world of network security, hackers have found just such an entrance in Cisco’s widely used switches, exploiting a vulnerability before it was even patched. The result: a covert campaign, dubbed 'Zero Disco,' where attackers dance their way into the heart of corporate networks, undetected and uninvited.

The Anatomy of Zero Disco

At the center of this operation is CVE-2025-20352, a flaw in Cisco’s Simple Network Management Protocol (SNMP) subsystem. In plain terms, SNMP is like the remote control for network devices, letting administrators monitor and tweak settings. But in this case, hackers found a way to send a specially crafted message - like a secret knock - to gain control, install rootkits, and set up shop inside the device’s memory.

What’s chilling is the stealth. The attackers’ rootkit - a kind of digital parasite - lets them bypass normal security checks, set a universal password containing the word "disco" (a sly nod to Cisco), and erase their tracks by disabling logs and hiding configuration changes. The malware even modifies timestamps, making it seem as if nothing ever happened. Once inside, hackers have persistent, remote access, able to move laterally across networks and manipulate traffic at will.

Old Devices, New Risks

The primary victims are older Cisco switch models - 9400, 9300, and the now-vintage 3750G - many still humming quietly in corporate server rooms. These devices often lack modern endpoint detection and response (EDR) tools, making them easy prey. Even attempts by Cisco to patch the flaw came after attackers had already found and exploited it - a classic zero-day scenario.

Trend Micro’s investigation also revealed that attackers tried to revive an old Telnet vulnerability (CVE-2017-3881), further expanding their toolkit for memory manipulation. The attackers used spoofed IP addresses and fake Mac email accounts to cloak their origins, making attribution difficult. While newer switches use protections like Address Space Layout Randomization (ASLR) to scramble memory locations and thwart exploits, persistent attackers can still break through with enough tries.

Echoes of Past Intrusions

This isn’t Cisco’s first dance with rootkits or SNMP flaws. In 2017, attackers leveraged the infamous Vault 7 leaks to install persistent malware on similar devices. The Zero Disco campaign echoes these earlier attacks but raises the stakes with more sophisticated evasion and broader reach. The incident underscores a persistent truth: aging infrastructure, left unmonitored, becomes the soft underbelly of digital security.

Conclusion: Unmasking the Silent Intruders

Operation Zero Disco is a warning to organizations clinging to legacy hardware without modern defenses. The attackers’ ability to slip in, hide, and persist highlights the urgent need for regular updates, vigilant monitoring, and a willingness to retire outdated gear. In the shadowy corners of the network, the music is still playing - and the intruders know all the steps.

WIKICROOK

• Rootkit: A rootkit is stealthy malware that hides itself on a device, allowing attackers to secretly control the system and evade detection.
• SNMP (Simple Network Management Protocol): SNMP is a standard protocol that lets administrators monitor and manage network devices like routers and switches for efficient network operation.
• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• ASLR (Address Space Layout Randomization): ASLR is a security technique that randomizes memory locations of programs, making it more difficult for attackers to exploit software vulnerabilities.
• Endpoint Detection and Response (EDR): Endpoint Detection and Response (EDR) are security tools that monitor computers for suspicious activity, but may miss browser-based attacks that leave no files.