Dive Brief:
- Cisco urged customers to immediately download a security fix to address one critical and a second high-severity vulnerability in Cisco IOS XE software, according to an updated bulletin released on Monday.
- An unidentified threat actor has been exploiting vulnerabilities in the web user interface to infect tens of thousands of devices with a malicious backdoor.
- Cisco Talos researchers issued enhanced detection guidance Monday, after a variant was found that temporarily prevented scanners from detecting malicious implants on thousands of devices.
Dive Insight:
Security researchers across the globe are scrambling to stop the attacks, after more than 40,000 devices worldwide were infected. Cisco IOS XE software is widely used in a variety of devices, including enterprise switches, wireless controllers, aggregation routers and access points.
A critical vulnerability, listed as CVE-2023-20198, allowed the attacker to gain initial access and write a local user name and password through privilege 15 commands. The second vulnerability, CVE-2023-20273, allowed the attacker to escalate privileges and write malicious implants to the file system.
Over the weekend however, researchers were temporarily unable to detect the presence of the implants, making it appear as if they had disappeared. Researchers at Fox-IT said the attacker upgraded the implant to check for a specific authorization HTTP header.
“If this header is not set to a specific value, the implant will not respond with the hexadecimal string like it did before, making it indistinguishable from uncompromised devices,” Joost Gerritsen, a senior consultant at Fox-IT, said via email. “This change rendered the initial scanning method ineffective, leading to a decline in detection of compromised devices.”
The Cisco Talos blog now includes a curl command to confirm the presence of implants on a device.
The Cybersecurity and Infrastructure Security Agency added CVE-2023-20273 to its Known Exploited Vulnerabilities catalog on Monday.
