Governance & Risk Management
,
Patch Management
From 60,000 to 1,200: Researchers Warn Attackers May Have Disguised Infections
Cisco released patches for two actively exploited zero-day vulnerabilities in the IOS XE operating system underlying the packet-pushing giant’s ubiquitous networking devices. Security researchers are warning that the number of hosts apparently hacked using the vulnerabilities has suddenly plunged from 36,541 to about 1,200.
See Also: Defending Against the Rising Tide of Fraud: Resilience Strategies for Businesses
While the cause of the decline isn’t clear, one concern is that attackers might have hidden their tracks, retaining access to devices they already infected with a malicious web shell that provides persistent, remote access (see: Attackers Exploiting Cisco Zero-Day With Malicious Backdoor).
Researchers tracking the count of infected hosts by using an indicator of compromise detailed by the Cisco Talos threat intelligence group said attackers appeared to intensify their efforts Tuesday. That’s when the group saw a sharp rise in the proportion of the approximately 80,000 internet-connected devices running Cisco ISO XE that were vulnerable to the flaw displaying signs of being infected with the backdoor.
On Wednesday, cybersecurity firm Censys reported seeing a rise in infections from 34,140 to 41,983 hosts, declining to 36,541 infected hosts on Thursday. It ascribed the decline to administrators deactivating their devices’ HTTP interface – a mitigation recommended by Cisco that makes the device no longer remotely accessible – or else taking the devices offline or altering their configuration in some other way. Censys said many of the infected systems it found traced to “telecommunications companies offering internet services to both households and businesses,” based especially in the U.S. and the Philippines.
On Saturday, the number of hosts displaying signs of being infected with the malicious web shell suddenly dropped to 1,200, even while the number of internet-connected devices running ISO XE has remained steady in recent days at about 60,000, reported researchers at cybersecurity firm Onyphe.
The cause of the decline isn’t clear. The Onyphe researchers said their hypothesis is that the approximately 36,500 compromised hosts remain compromised but attackers have masked the indicators of compromise. Attackers may also have progressed to “another exploitation stage,” they said. This could involve them moving laterally through victims’ networks and dropping further malware to enable persistent, remote access.
Other security researchers also see this as a likely scenario. “Let’s be honest: if you shell 20,000-40,000 devices, why would your kill chain stop at that device?” said the security researcher known as Daniel C.
Cisco IOS XE Flaws
Cisco issued its first alert about these attacks on Oct. 16, warning that attackers had been exploiting a zero-day vulnerability in its Cisco IOS XE Software Web Management User Interface, designated CVE-2023-20198. The software is used to run numerous Cisco products, including routers, switches, wireless controllers, access points and more.
On Friday, Cisco said it that it had identified a second vulnerability being exploited by the attackers, designated CVE-2023-20273.
On Sunday, Cisco released version 17.9.4a of Cisco IOS XE for its routing/SD-WAN and IOT products, which patches the vulnerabilities. The company said it plans to release that version of its software on Monday for its switching, wireless and SP access and pre-aggregation router products.
For older but still supported versions of Cisco IOS XE, the technology giant said it is still developing patched versions. Cisco has not yet said when it plans to release those updates, which will be Cisco IOS XE versions 17.6.6a, 17.3.8a, plus 16.12.10a – only used in some switching products.
Cisco said attackers have been placing a malware implant onto devices by exploiting these two IOS XE Software Web UI Feature vulnerabilities:
- CVE-2023-20198: The U.S. National Vulnerability Database reports that the privilege escalation vulnerability, which has a CVSS score of 10.0, “allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access,” which is the highest level of privilege in IOS XE software. “The attacker can then use that account to gain control of the affected system” and log in as a user with normal access,” it said.
- CVE-2023-20273: For this next part of the attack, Cisco said,”The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to
root
and write the implant to the file system.” Cisco said this vulnerability has a CVSS score of 7.2.
Cisco Talos recommends all customers using vulnerable products review their system logs for signs of compromise, which can include any unknown user names, including cisco_tac_admin
and cisco_support
, as well as unknown filenames.
Attackers appear to have been trying to cover their tracks since unleashing their mass exploitation campaign. In attacks investigated by Cisco Talos, responders found that after attackers had exploited the flaws to gain access to a device running Cisco ISO XE, “we observed the threat actor gathering information about the device and conducting preliminary reconnaissance,” it said. “We also observed the attacker clearing logs and removing users, likely to hide evidence of their activity.”
Cisco Talos reported that the same group of attackers appeared to begin testing the vulnerabilities on Sept. 18 and to have unleashed their attack at scale around Oct. 12, infecting devices with their custom-built backdoor implant, written in the Lua programming language.