Title: Thousands of Cisco Networks Infected by Zero-Day Vulnerability
Subtitle: Critical zero-day vulnerability exploited by unknown threat actor, compromising over 10,000 devices
Date: October 17, 2023
In a concerning development, networking giant Cisco has reported that an undisclosed threat actor is actively exploiting a critical zero-day vulnerability in devices running IOS XE software. Cisco researchers have labeled the infections as a “cluster of activity.”
According to security firm VulnCheck, the cluster has now grown to encompass more than 10,000 switches, routers, and other Cisco devices. All of the compromised devices have been implanted with malware, granting the attacker remote execution capabilities at the deepest levels of the compromised systems.
Jacob Baines, the CTO of VulnCheck, expressed his concern about the situation, stating that “VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.”
VulnCheck estimates that approximately 10,000 implanted systems have been fingerprinted so far, although the number is expected to rise as the scan continues. The security firm has only scanned about half of the devices listed on Shodan/Censys.
Despite the lack of a software patch from Cisco, the company is urging customers to take immediate protective measures. This includes implementing temporary measures to prevent further exploitation of vulnerable devices and conducting comprehensive scans to identify any backdoors.
The zero-day vulnerability, which has been identified as CVE-2023-20198, carries the maximum severity rating of 10. It resides in the Web User Interface of Cisco IOS XE software, leaving any switch, router, or wireless LAN controller running IOS XE with the HTTP or HTTPS Server feature enabled and exposed to the Internet vulnerable. As of Monday, the Shodan search engine estimated that up to 80,000 Internet-connected devices might be affected.
Members of Cisco’s Talos security team have warned that successful exploitation of this vulnerability allows the attacker to gain full control of the compromised device, potentially enabling them to perform unauthorized activities on the network. Cisco has strongly advised affected entities to follow the steps outlined in their PSIRT advisory to mitigate the risk.
The threat actor has been observed exploiting the zero-day vulnerability since at least September 18. After obtaining authorized user status, the attacker creates a local user account and proceeds to deploy the implant. Although the implant cannot survive a reboot, the local user accounts will still remain active.
The implant, based on the Lua programming language, consists of 29 lines of code that facilitate arbitrary command execution once an HTTP POST request is made to the compromised device. The Talos team has observed unique instances of the implant, but some devices share the same hardcoded strings, indicating a possible means of authentication for the command execution.
Administrators are strongly urged to search their networks for signs of compromise, including unexplained or newly created users on devices. One way to identify the presence of an implant is to run a specific command against the device.
VulnCheck has released its own scanner to aid in detecting compromised systems.
The severity of this vulnerability and the large number of compromised networks highlight the urgent need for immediate action. Cisco device administrators are advised to assume their devices are compromised if they had the Web UI exposed and to thoroughly review the provided advisories for recommended steps.
October 17, 2023, 2:50 pm Eastern. This article has been updated with new information about how many systems are infected.