Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices

  /     /     /  
Publicated : 23/11/2024   Category : security


Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices


A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.



In the latest in the saga of compromise involving a max-critical Cisco bug that has been exploited as a zero-day as users waited for patches, several security researchers reported observing a sharp decline in the number of infected Cisco IOS XE systems visible to them over the weekend. 
The drop sparked a range of theories as to why, but researchers from Fox-IT on Oct. 23 identified the real reason as having to do with the attacker simply altering the implant, so it is no longer visible via previous fingerprinting methods.
By way of background:  The main bug being used in the exploit chain exists in the Web UI of IOS XE (
CVE-2023-20198
). It ranks 10 out of 10 on the CVSS vulnerability-severity scale, and gives unauthenticated, remote attackers a way to gain initial access to affected devices and create persistent local user accounts on them. 
The exploit method also involves a second zero-day (
CVE-2023-20273
), which Cisco only discovered while investigating the first one, which allows the attacker to elevate privileges to root and write an implant on the file system. Cisco released
updated versions of IOS XE
addressing the flaws on Oct. 22, days after disclosure, giving cyberattackers ample opportunity to go after legions of unpatched systems.
And go after them they did. Security researchers using Shodan, Censys, and other tools last week reported observing what appeared to be a single threat actor
infecting tens of thousands of affected Cisco IOS XE devices
with an implant for arbitrary code execution. The implants are not persistent, meaning they wont survive a device reboot.
A sudden and dramatic drop over the weekend in the number of compromised systems visible to researchers caused some to speculate if an unknown grey-hat hacker was quietly
removing the attackers implant
from infected systems. Others wondered if the attacker had moved to
another exploit phase
, or was doing some sort of
clean-up operation
to conceal the implant. Another theory was that the attacker was using the implant to reboot systems to get rid of the implant.
But it turns out that nearly 38,000 remain compromised via the two recently disclosed zero-day bugs in the operating system, if one knows where to look.
We have observed that the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorization HTTP header value before responding, the
Fox-IT researchers said on X
, the platform formerly known as Twitter. This explains the much-discussed plummet of identified compromised systems in recent days. 
By using another fingerprinting method to look for compromised systems, Fox-IT said it identified 37,890 devices with the attackers implant still on them. 
We strongly advise everyone that has (had) a Cisco IOS XE WebUI exposed to the Internet to perform a forensic triage, the company added, pointing to its
advisory on GitHub
for identifying compromised systems.
Researchers from
VulnCheck
who last week reported seeing thousands of infected systems, were among those who found the compromised devices suddenly disappearing from view over the weekend. CTO Jacob Baines, who initially was among those unsure about what might have happened, says Fox-ITs take on what happened is correct.
Over the weekend the attackers changed the way the implant is accessed so the old scanning method was no longer usable, Baines says. Weve just recently altered our scanner to use the new method demonstrated by Fox-IT, and we are seeing essentially what we saw last week: thousands of implanted devices.
Cisco
updated its guidance
for detecting the implant on October 23. In a statement to Dark Reading, the company said it released the new indicators of compromise after uncovering a variant of the implant that hinders the identification of compromised systems. We strongly urge customers to implement the guidance and install the security fix outlined in Cisco’s updated security advisory and Talos blog, the company said.
Baines says the attackers motivation for altering the implant is puzzling and completely unexpected. I think normally, when an attacker is caught, they go quiet and revisit the affected systems when the dust has settled.
In this case, the attacker is attempting to maintain access to implants that dozens of security companies now know exist. 
To me, it seems like a game they cant win, Baines says. It seems this username/password update must be a short-term fix so that they can either hold on to the systems for a few more days — and accomplish whatever goal — or just a stopgap until they can insert a more stealthy implant.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices