The Mobile World Congress 2025 held in Barcelona fulfilled every commitment – a groundbreaking event with 109,000 participants from 205 nations, featuring more than 2,900 exhibitors, sponsors, and partners displaying an impressive range of state-of-the-art themes, from 5G and IoT to Unified Security for the AI-powered Future.
As per usual, Cisco’s presence highlighted a set of advancements, like the newest secure connectivity solutions, exhibited next-generation wireless innovations, and announced various high-profile media releases showcasing our dedication to shaping the future of digital communications.
The complete One Cisco strategy from Cisco was on visible, consolidating networking, security, observability, and Splunk solutions to provide unmatched results. This comprehensive method demonstrates how our clients can realize AI-enabled data centers, workplace future-proofing, and digital resilience.
Cisco at MWC 2025: An Innovation Powerhouse
In the genuine Cisco style, our booth was more than just a spot but rather an innovation and collaboration focal point. Standout Demos included:
Learning From Past Experiences
Expanding on our know-how from Black Hat, NFL Super Bowl, RSA Conference and others, the Team carried the same enthusiasm and technical diligence to MWC 2025. Our SNOC team utilized the operational excellence polished at those occasions, merging cutting-edge security tools with live network monitoring to ensure smooth event operations.
The Splunk Cloud served as the data platform, incorporating Apps for data ingestion:
With these integrations, our SOC team could craft a CISO level SNOC dashboard for vital telemetry from all network and security outlets.
We also displayed dashboards at the SOC Manager level for XDR Incidents, Firewall Events, and DNS Security.
We further linked the integrations with Cisco XDR, for Dashboard observation and Incident exploration.
We instated XDR Automated workflows to escalate threat detections in Splunk to XDR Incidents, and the XDR integration back to Splunk.
The Incidents empowered the SNOC team to prioritize inquiries.
Furthermore, at this year’s Mobile World Congress in Barcelona, Cisco’s ThousandEyes dashboard played a significant role in ensuring robust network assurance. Attendees profited from real-time monitoring and insights into network performance, ensuring a seamless journey from start to end. With the ability to monitor key components like the event homepage and login processes, ThousandEyes guaranteed swift access to essential resources for the participants, without any disruptions. This intricate visibility and control helped sustain the integrity and dependability of the network throughout the event.
Day 1: A Scale Test
The primary goal of Day 1 was managing extensive network activity seamlessly. Going from only a few employee devices to thousands connecting simultaneously, our firewall and network monitoring systems operated impeccably, handling a significant traffic volume while maintaining precise visibility. The robust performance of our Cisco security solutions confirmed that, whether in a controlled lab setup or a bustling conference, network resilience remains non-negotiable.
Day 2: Encounter with a Russian Threat Attempt at Event Sabotage
Just when you thought the only unexpected occurrences at MWC 2025 were arriving from the normal sources, a surprising twist occurred. Russia…
With the groundbreaking technology and impromptu demonstrations, our firewall records presented an unexpected turn. During the second day, our attentive surveillance identified an unusual occurrence: a privilege escalation incident originating from a Russian origin.
Our technical wizard, Jorge Quintero, promptly identified this as a potential high-risk incident – a scenario where an endpoint could be compromised. The records revealed a trend in line with C2 communications, leading to a swift inquiry and immediate mitigation steps. In classic SNOC fashion, we made sure that any unwelcome intruder was swiftly dealt with before causing chaos. (It appears that even at MWC, cyber foes can’t resist a good party!)
What particularly stood out in this IDS occurrence was a carefully crafted plaintext script operating on port 80 using Internet Explorer (indeed – still in operation).
The triggered Snort signature also revealed two primary methods being utilized:
- Initial Access
- Execution
By utilizing public generative AI tools, the decoding of the payload resulted in consistent patterns of harmful behaviors — which included efforts to recognize anti-malware tools (possibly for removal to maintain control) and potentially escalate privileges further.
Ultimately, our doubts were solidified (if any remained) by insights from Talos and AlienVault threat intelligence. This IP address (belonging to the Russian Federation) had previously been marked for malicious operations.
Day 3: Cryptomining — The Tale of the Good and the Evil
The third day brought an intriguing subject to our attention — cryptomining. From its modest origins to the current multi-billion-dollar industry, the evolution of crypto has expanded beyond just digital currency to innovative applications in the fintech sector, including NFTs and more.
Nevertheless, we have also witnessed how this technology has been exploited by malicious individuals, specifically targeting endpoints to captivate computing resources for cryptomining.
By utilizing public generative AI tools to decipher plain text, we recognized mining software (XMRig) establishing RPC connections to the Monero cryptocurrency network. It is worth noting that, while suspicious, this could still be a lawful instance of an endpoint engaging in mining operations.
However, the unlawful nature of this activity was once again corroborated by intelligence from Talos and AlienVault. The public IP address in operation had been previously listed for engaging in malevolent cryptomining activities.
Day 4 Update and Recap!
Day 4 displayed a decrease in activity, resulting in a threat-neutral day and allowing for comprehensive analysis and aggregation of the complete dataset from the event. Here we present a couple of essential findings from the firewall examination:
1. EVE (Encrypted Visibility Engine): Leading the path for encrypted traffic scrutiny.
The Encrypted Visibility Engine (EVE) by Cisco has demonstrated the significance of recent advancements. Monitoring at Fira was fully done using IDS (Intrusion Detection System) with passive scrutiny. Even in the absence of decryption capabilities, we managed to detect risks within encrypted traffic and the sources generating these traffic streams.
2. Analytics driven by events, empowered by Splunk
The collaborative effort between Cisco and Splunk is a match with great synergy. Combining Cisco’s broad security expertise and portfolio with Splunk’s top-notch observability and adaptability allowed us to construct potent, actionable dashboards for easy consumption by the SNOC team.
Below is the consolidated data for the whole event — encompassing various aspects from connection activities, file occurrences, and intrusion incidents to a categorized list of identified occurrences throughout the conference.
This encompassed DNS security blocks, safeguarding the MWC attendees at Fira from harmful websites. Over 14,400 applications were observed on the MWC network.
Future Outlook
The unexpected event on Day 2 further highlighted a crucial lesson: in today’s extensively connected world, innovation should always be met with stringent security measures. As we review the achievements of MWC 2025, we are already devising improvements to our threat identification and incident response capabilities, drawing from our experiences at MWC, Black Hat, and NFL.
Cisco’s SNOC Team remains devoted to keeping a step ahead, converting challenges into opportunities for innovation and protection. Be it managing numerous connections or intercepting illicit C2 signals, we are equipped to ensure that the digital future remains as secure as it is brilliant.
While technology took the spotlight, the true heroes at the Security Booth were the committed individuals who brought these demonstrations and operations to life. A sincere thank you to: Alberto Torralba, Filipe Lopes, Jorge Quintero, Jervis Hui, Nirav Shah, John Cardani-Trollinger, and Emile Antone. Their expertise and dedication ensured flawless runnings of every demo, capturing the attention of all visitors. Special thanks to Ivan Padilla Ojeda, our liaison with the network team to interconnect all aspects within the SNOC.
Also, appreciation to those who assisted in preparing for the SNOC: Ivan Berlinson, Ryan Maclennan, Aditya Sankar, Seyed Khadem, Tony Iacobelli, Dallas Williams, Nicholas Carrieri, and Jessica Oppenheimer.
Concluding Remarks
The Mobile World Congress 2025 not only showcased the upcoming technological advancements but also exemplified how integrated, resilient security measures can protect even the most vibrant, high-pressure environments. The contrasting insights from Day 1 and Day 2 emphasize the importance of staying proactive, continually adapting, and consistently enhancing our defense strategies.
Thank you for accompanying us on this journey through MWC 2025, and keep an eye out for additional insights and behind-the-scenes anecdotes from MWC 2025. After all, in the tech realm, each day at the office is nothing short of extraordinary!
We’d appreciate hearing your thoughts. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Security Social Channels
About Author
