Headline
Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.
In the latest in the saga of compromise involving a max-critical Cisco bug that has been exploited as a zero-day as users waited for patches, several security researchers reported observing a sharp decline in the number of infected Cisco IOS XE systems visible to them over the weekend.
The drop sparked a range of theories as to why, but researchers from Fox-IT on Oct. 23 identified the real reason as having to do with the attacker simply altering the implant, so it is no longer visible via previous fingerprinting methods.
By way of background: The main bug being used in the exploit chain exists in the Web UI of IOS XE (CVE-2023-20198). It ranks 10 out of 10 on the CVSS vulnerability-severity scale, and gives unauthenticated, remote attackers a way to gain initial access to affected devices and create persistent local user accounts on them.
The exploit method also involves a second zero-day (CVE-2023-20273), which Cisco only discovered while investigating the first one, which allows the attacker to elevate privileges to root and write an implant on the file system. Cisco released updated versions of IOS XE addressing the flaws on Oct. 22, days after disclosure, giving cyberattackers ample opportunity to go after legions of unpatched systems.
Sudden Decline in Compromised Systems
And go after them they did. Security researchers using Shodan, Censys, and other tools last week reported observing what appeared to be a single threat actor infecting tens of thousands of affected Cisco IOS XE devices with an implant for arbitrary code execution. The implants are not persistent, meaning they won’t survive a device reboot.
A sudden and dramatic drop over the weekend in the number of compromised systems visible to researchers caused some to speculate if an unknown grey-hat hacker was quietly removing the attacker’s implant from infected systems. Others wondered if the attacker had moved to another exploit phase, or was doing some sort of clean-up operation to conceal the implant. Another theory was that the attacker was using the implant to reboot systems to get rid of the implant.
But it turns out that nearly 38,000 remain compromised via the two recently disclosed zero-day bugs in the operating system, if one knows where to look.
Altered Cisco Implant
“We have observed that the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorization HTTP header value before responding,” the Fox-IT researchers said on X, the platform formerly known as Twitter. “This explains the much-discussed plummet of identified compromised systems in recent days.”
By using another fingerprinting method to look for compromised systems, Fox-IT said it identified 37,890 devices with the attackers implant still on them.
“We strongly advise everyone that has (had) a Cisco IOS XE WebUI exposed to the Internet to perform a forensic triage,” the company added, pointing to its advisory on GitHub for identifying compromised systems.
Researchers from VulnCheck who last week reported seeing thousands of infected systems, were among those who found the compromised devices suddenly disappearing from view over the weekend. CTO Jacob Baines, who initially was among those unsure about what might have happened, says Fox-IT’s take on what happened is correct.
“Over the weekend the attackers changed the way the implant is accessed so the old scanning method was no longer usable,” Baines says. “We’ve just recently altered our scanner to use the new method demonstrated by Fox-IT, and we are seeing essentially what we saw last week: thousands of implanted devices.”
Cisco updated its guidance for detecting the implant on October 23. In a statement to Dark Reading, the company said it released the new indicators of compromise after uncovering a variant of the implant that hinders the identification of compromised systems. “We strongly urge customers to implement the guidance and install the security fix outlined in Cisco’s updated security advisory and Talos blog,” the company said.
Puzzling Cyberattacker Motivations
Baines says the attacker’s motivation for altering the implant is puzzling and completely unexpected. “I think normally, when an attacker is caught, they go quiet and revisit the affected systems when the dust has settled.”
In this case, the attacker is attempting to maintain access to implants that dozens of security companies now know exist.
“To me, it seems like a game they can’t win,” Baines says. “It seems this username/password update must be a short-term fix so that they can either hold on to the systems for a few more days — and accomplish whatever goal — or just a stopgap until they can insert a more stealthy implant.”
Related news
Among the top exploited zero-day vulnerabilities were bugs found in systems from Citrix and Cisco.
This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f...
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 as part of an exploit chain. "The attacker first
A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.
By Deeba Ahmed It is unclear how long Cisco will take to release a patch. This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices
Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: IOS X Tags: remote management Tags: vulnerability Tags: CVE-2023-20198 Tags: webUI Tags: http server Tags: http secure-server Researchers have found that a recently disclosed vulnerability in Cisco IOS XE has already rendered thousands of compromised devices. (Read more...) The post Cisco IOS XE vulnerability widely exploited in the wild appeared first on Malwarebytes Labs.
Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have
By Waqas Another day, another critical vulnerability hits Cisco! This is a post from HackRead.com Read the original post: New Cisco Web UI Vulnerability Exploited by Attackers
No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory Cisco will provide updates on the status of this investigation and when a software patch is available.
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.