New Insights into Cisco Device Breaches: Evolving Threats
A backdoor has been found in Cisco devices, implanted by exploiting two critical zero-day vulnerabilities in the IOS XE software. Security researchers from NCC Group’s Fox-IT report that the threat actor has upgraded this implant to evade previous detection methods. Their analysis indicates that the modified backdoor now includes an additional header check, which allows it to remain operational while only responding to requests with a specific Authorization HTTP header.
Exploiting vulnerabilities coded CVE-2023-20198 and CVE-2023-20273—both of which carry high-severity scores on the Common Vulnerability Scoring System (CVSS)—the attackers have developed a chain of exploits that facilitate unauthorized access. Through this method, they can establish privileged accounts and deploy a Lua-based implant on affected devices. This explosive attack vector has left thousands of devices vulnerable.
Cisco has begun the rollout of security updates aimed at addressing these vulnerabilities, though specific timelines for further updates remain undisclosed. Researchers have identified the extent of the compromise, estimating that potentially thousands of devices have been affected based on data sourced from VulnCheck and attack surface management firm Censys. While the precise identity of the threat actor is still unknown, the infections appear expansive, hinting at widespread exploitation tactics.
Mark Ellzey, a Senior Security Researcher at Censys, suggests that the scale of these infections resembles mass hacks. However, a recent analysis points to a marked decline in the number of compromised devices, suggesting potential remedial measures may have been implemented. The number of detected implant-infected devices has reportedly plummeted from approximately 40,000 to a few hundred in the past week, leading to speculation about operational concealment strategies employed by the attackers.
The Fox-IT team’s recent findings on the implant’s enhancements elucidate this sudden decline in numerical reports. They estimate that over 37,000 devices remain compromised, presenting a significant cybersecurity threat. This variance in reported device numbers indicates an ongoing issue that businesses must prioritize.
Cisco has confirmed these altered behaviors in its updated security advisories. They have provided a test command that can be executed from a workstation to verify the presence of the implant. If the command returns a hexadecimal string, it indicates the implant’s active status concurrently with its enhanced invisibility features.
The introduction of the header check appears to be a tactical move by the attackers to foil detection efforts. By impeding identification of compromised systems, the modifications have notably reduced the visibility of affected public-facing applications, complicating remediation efforts for businesses reliant on Cisco systems.
Understanding these attacks through the MITRE ATT&CK framework will be crucial for organizations looking to deepen their cybersecurity posture. Relevant tactics likely employed in the breach include initial access, persistence, and privilege escalation. This contextual framework aids businesses in not only apprehending the severity of the situation but also empowers them with the knowledge required to safeguard their networks against evolving threats.
As investigations continue, it’s imperative for businesses relying on Cisco devices to remain vigilant and proactive in applying the latest security updates and conducting thorough assessments of their networks to mitigate potential risks.
