The recent compromise of Cisco Devices through the exploitation of zero-day vulnerabilities in IOS XE software has taken a concerning turn. Threat actors, displaying a sophisticated understanding of the landscape, have adapted their tactics to escape conventional detection methods.
Related Articles
NCC Group’s Fox-IT team discovered a significant modification to the backdoor implanted in Cisco devices. The threat actor enhanced the implant to perform an additional header check, rendering it practically invisible unless the correct Authorization HTTP header is set. This evolution in tactics poses a challenge for traditional network security measures.
Exploiting CVE-2023-20198 and CVE-2023-20273: An Infiltration Chain
The attacks leverage CVE-2023-20198 and CVE-2023-20273 in tandem, creating an exploit chain that grants threat actors access to compromised devices. This chain enables the creation of privileged accounts and the deployment of a Lua-based implant on the affected devices. The severity of these vulnerabilities, indicated by their high CVSS scores, underscores the urgency for robust cybersecurity measures.
Cisco’s Response and Ongoing Threat
Cisco has initiated security updates to address the vulnerabilities, with additional updates planned for release at an undisclosed date. However, the identity of the threat actor remains elusive, complicating efforts to assess the full extent of the compromise. Despite Cisco’s efforts, the number of affected devices, estimated to be in the thousands, remains a cause for concern.
Security researchers, including Mark Ellzey from Censys, note that the infections resemble mass hacks. Although the exact motives are unclear, the recent drop in compromised devices from around 40,000 to a few hundred raises suspicions of under-the-hood alterations. Fox-IT’s discovery of modifications in the implant explains the discrepancy, revealing that over 37,000 devices may still be compromised.
Cisco’s Guidance for Detection
In response to the evolving threat, Cisco has acknowledged the behavioral changes and provided guidance for detecting the presence of the implant. By issuing a specific curl command from a workstation, administrators can check for the implant’s presence based on the returned hexadecimal string.
