Count of Hacked Cisco IOS XE Devices Unexpectedly Plummets
From 36,541 to 1,200: Researchers Warn Attackers Have Disguised InfectionsCisco released patches for two actively exploited zero-day vulnerabilities in the IOS XE operating system underlying the packet-pushing giant's ubiquitous networking devices. Security researchers are warning that the number of hosts apparently hacked using the vulnerabilities has suddenly plunged from 36,541 to about 1,200.
While the cause of the decline wasn't initially clear, security experts now report that attackers appear to have updated their IOS XE malware to block casual scanning attempts. Attackers' malicious web shell provides them with persistent, remote access to infected devices (see: Attackers Exploiting Cisco Zero-Day With Malicious Backdoor).
Researchers tracking the count of infected hosts by using an indicator of compromise detailed by the Cisco Talos threat intelligence group said attackers appeared to intensify their efforts Tuesday. That's when the researchers saw a sharp rise in the proportion of the approximately 80,000 internet-connected devices running Cisco ISO XE that were vulnerable to the flaw displaying signs of being infected with the backdoor.
On Wednesday, cybersecurity firm Censys reported seeing a rise in infections from 34,140 to 41,983 hosts, declining to 36,541 infected hosts on Thursday. It ascribed the decline to administrators deactivating their devices' HTTP interface - a mitigation recommended by Cisco that makes the device no longer remotely accessible - or else taking the devices offline or altering their configuration in some other way. Censys said many of the infected systems it found traced to "telecommunications companies offering internet services to both households and businesses," based especially in the U.S. and the Philippines.
On Saturday, the number of hosts displaying signs of being infected with the malicious web shell suddenly dropped to 1,200, even while the number of internet-connected devices running ISO XE has remained steady in recent days at about 60,000, reported researchers at cybersecurity firm Onyphe.
The cause of the decline wasn't initially clear. The Onyphe researchers said their hypothesis is that the approximately 36,500 compromised hosts remain compromised but attackers have masked the indicators of compromise. Attackers may also have progressed to "another exploitation stage," they said. This could involve them moving laterally through victims' networks and dropping further malware to enable persistent, remote access.
Other security researchers also saw this as a likely scenario. "Let's be honest: if you shell 20,000-40,000 devices, why would your kill chain stop at that device?" said the security researcher known as Daniel C.
Later on Monday, cybersecurity firm Fox-IT, which is part of NCC Group, reported finding the exact cause of the decline. Over the weekend, it said, attackers updated their implant so that it checks for an HTTP Authorization
header value with the correct username and password before responding to any scanning attempts.
"Using a different fingerprinting method, Fox-IT identifies 37,890 Cisco devices that remain compromised," it reported via LinkedIn. "We strongly advise everyone that has (had) a Cisco IOS XE WebUI exposed to the internet to perform a forensic triage," and has published steps for doing so to GitHub.
"This explains the much discussed plummet of identified compromised systems in recent days," said vulnerability intelligence firm VulnCheck via X, formerly known as Twitter. In other words, the count of compromised systems has not gone down, but rather slightly increased.
Cisco Talos confirmed attackers' change in tactics. "The addition of the header check in the implant by the attackers is likely a reactive measure to prevent identification of compromised systems," it said. "This header check is primarily used to thwart compromise identification using a previous version of the curl command provided by Talos." The researchers said they have now updated their curl command "to help enable identification of implant variants employing the HTTP header checks."
Cisco IOS XE Flaws
Cisco issued its first alert about these attacks on Oct. 16, warning that attackers had been exploiting a zero-day vulnerability in its Cisco IOS XE Software Web Management User Interface, designated CVE-2023-20198. The software is used to run numerous Cisco products, including routers, switches, wireless controllers, access points and more.
On Friday, Cisco said it that it had identified a second vulnerability being exploited by the attackers, designated CVE-2023-20273.
On Sunday, Cisco released version 17.9.4a of Cisco IOS XE for its routing/SD-WAN and IOT products, which patches the vulnerabilities. The company said it plans to release that version of its software on Monday for its switching, wireless and SP access and pre-aggregation router products.
For older but still supported versions of Cisco IOS XE, the technology giant said it is still developing patched versions. Cisco has not yet said when it plans to release those updates, which will be Cisco IOS XE versions 17.6.6a, 17.3.8a, plus 16.12.10a - only used in some switching products.
Cisco said attackers have been placing a malware implant onto devices by exploiting these two IOS XE Software Web UI Feature vulnerabilities:
- CVE-2023-20198: The U.S. National Vulnerability Database reports that the privilege escalation vulnerability, which has a CVSS score of 10.0, "allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access," which is the highest level of privilege in IOS XE software. "The attacker can then use that account to gain control of the affected system" and log in as a user with normal access," it said.
- CVE-2023-20273: For this next part of the attack, Cisco said,"The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to
root
and write the implant to the file system." Cisco said this vulnerability has a CVSS score of 7.2.
Cisco Talos recommends all customers using vulnerable products review their system logs for signs of compromise, which can include any unknown user names, including cisco_tac_admin
and cisco_support
, as well as unknown filenames.
Attackers appear to have been trying to cover their tracks since unleashing their mass exploitation campaign. In attacks investigated by Cisco Talos, responders found that after attackers had exploited the flaws to gain access to a device running Cisco ISO XE, "we observed the threat actor gathering information about the device and conducting preliminary reconnaissance," it said. "We also observed the attacker clearing logs and removing users, likely to hide evidence of their activity."
Cisco Talos reported that the same group of attackers appeared to begin testing the vulnerabilities on Sept. 18 and to have unleashed their attack at scale around Oct. 12, infecting devices with their custom-built backdoor implant, written in the Lua programming language.
Oct. 24, 2023 08:21 UTC: This story has been updated to include analysis and additional mitigation advice from Cisco Talos, Fox-IT and VulnCheck.