Background: The Distinctive Panorama of the Black Hat NOC
Working the Black Hat Safety and Community Operations Heart (NOC) presents a singular set of challenges and expectations. Not like a typical company atmosphere the place any hacking exercise is straight away deemed malicious, the Black Hat convention is a nexus for cybersecurity analysis, coaching, and moral hacking. Consequently, we anticipate and even anticipate a major quantity of exercise that, in different contexts, can be thought-about extremely suspicious or outright hostile. This consists of varied types of scanning, exploitation makes an attempt, and different adversarial simulations, usually carried out as a part of official trainings or unbiased analysis.
Including to this complexity is the Carry Your Personal Machine (BYOD) nature of the convention community. Attendees join a wide selection of non-public gadgets, making conventional endpoint telemetry (like EDR options) a major problem for complete monitoring. As such, our main focus was on sturdy network-based telemetry for detection and menace searching.
Investigation Workflow: A Multi-Device Strategy to Fast Response
Part 1: Assault Triage With Cisco XDR
The Cisco XDR analytics incident offered the preliminary alert and connection flows, giving us instant visibility into this tried intrusion exercise from an exterior malicious supply to our convention registration server and mapping it to MITRE ATT&CK.
The XDR incident indicated that there was an entry try of the registration server similar to an intrusion regarding “SAP NetWeaver Visible Composer metauploader entry try”. The exercise was mapped to MITRE ATT&CK strategies, TA0001: Preliminary entry, T1189: Drive-by Compromise and T1190: Exploit of Public-Dealing with Software.
Cyber Risk Intelligence
Wanting deeper into the alert from Cisco Firepower Administration Heart (FMC) in XDR, we are able to see that the tried intrusion was an entry occasion over port 443. The alert is classed as excessive precedence. The exterior supply IP was labeled with a malicious disposition by Cisco XDR International Risk Intelligence and suspicious by Cisco Talos.
Part 2: Visitors and Alert Evaluation With Cisco Firepower Administration Console (FMC)
We utilized Cisco FMC to dive deeper into the related alert and packet info from the visitors.
The next particulars had been notably notable:
- The intrusion alert was labeled as excessive precedence and categorized as Tried Administrator Privilege Achieve.
- The visitors was TCP and HTTPS to port 443.
- The request kind was an GET request to URI path /developmentserver/metauploader
- The person agent consists of zgrab/0.x
Researching extra about this person agent, ZGrab, indicated it’s used for scanning and penetration testing. ZGrab is a part of the broader ZMAP suite of instruments. This offered additional validation that this was a malicious intrusion try in opposition to our registration server.
Part 3: Vulnerability Evaluation
We did additional analysis into the alert from FMC and located that it correlated with vulnerability CVE-2025-31324.
This vulnerability is thought to be exploited within the wild, as confirmed by CISA and is classed as Essential with a CVSS rating of 9.8 by the Nationwide Vulnerability Database (NVD). It’s also notable that the vulnerability was revealed very lately on April 4th, 2025.
Potential exploitation of the vulnerability permits an unauthenticated agent to add arbitrary malicious code to the goal system.
Part 4: Threat Evaluation and Mitigation
As a ultimate step we reached out to the Black Hat engineering staff to inquire if the registration server was weak to CVE-2025-31324.
Particularly, we inquired:
- Does the registration server leverage SAP NetWeaver?
- Does the next useful resource path exist on the endpoint?
We confirmed that each of those standards weren’t met, and therefore the Black Hat registration server was not weak to CVE-2025-31324.
Decision
The investigation for this Cisco XDR incident was closed, because the registration server was not discovered to be weak to the tried exploitation. Because the registration web site is a essential asset and is public going through, we anticipate to see scanning exercise and malicious entry makes an attempt in opposition to it. We continued to stay vigilant for the rest of the convention.
Key Takeaways
- Fast, Multi-Device Investigation Enhances Response
Utilizing Cisco XDR and Cisco FMC enabled swift detection, detailed evaluation, and actionable insights guaranteeing a well-coordinated and efficient response to suspicious exercise. - Asset Consciousness and Stakeholder Engagement Are Essential
Understanding your atmosphere and confirming technical particulars with engineering groups prevents false alarms and pointless remediation. Partaking stakeholders early ensures correct threat evaluation and environment friendly decision. - Steady Vigilance for Essential Public Property
Even after ruling out instant threats or vulnerabilities, ongoing monitoring and investigation are important to safeguard public-facing, high-value programs in opposition to persistent scanning and exploitation makes an attempt.
About Black Hat
Black Hat is the cybersecurity business’s most established and in-depth safety occasion sequence. Based in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, improvement, and developments. Pushed by the wants of the neighborhood, Black Hat occasions showcase content material instantly from the neighborhood via Briefings displays, Trainings programs, Summits, and extra. Because the occasion sequence the place all profession ranges and educational disciplines convene to collaborate, community, and focus on the cybersecurity matters that matter most to them, attendees can discover Black Hat occasions in america, Canada, Europe, Center East and Africa, and Asia. For extra info, please go to the Black Hat web site.
We’d love to listen to what you assume! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
Share:
