The Future of Warehouse Work: Amazon’s New Robots and Their Impact
20/10/202341 States Sue Meta Over Instagram’s Harm to Young Users
24/10/2023Cisco Zero-Day Exploited to Install Malicious Backdoor on Over 40,000 Devices
If you are using a Cisco device running IOS XE software, you might want to check if it has been compromised by a malicious backdoor. A new zero-day vulnerability (CVE-2023-20273) has been discovered and exploited by an unknown threat actor to gain full control over thousands of Cisco switches, routers, and wireless LAN controllers.
What is the Cisco Zero-Day Vulnerability?
The zero-day vulnerability is a privilege escalation flaw in the web UI feature of Cisco IOS XE software. It allows an unauthenticated remote attacker to create an account on the affected device with privilege-level access, which grants them complete control over the device. The attacker can then monitor network traffic, inject and redirect network traffic, and perform any number of man-in-the-middle attacks.
The vulnerability is part of an exploit chain that involves another zero-day vulnerability (CVE-2023-20198) that was disclosed earlier this week. This vulnerability allows an attacker to gain initial access to the device by sending a specially crafted HTTP request to the web UI feature. The attacker then uses the newly created account to exploit the second vulnerability and install a malicious Lua-based implant on the device.
How Many Devices Are Affected?
According to security firm VulnCheck, more than 41,000 Cisco devices running the vulnerable IOS XE software have been infected by the implant as of October 20, 2023. The primary targets of this attack are not large corporations but smaller entities and individuals. A quarter of all impacted devices are in the US. While obtaining the precise count of Internet-exposed Cisco IOS XE devices is challenging, a current Shodan search reveals that over 146,000 vulnerable systems are susceptible to potential attacks.
How to Detect and Mitigate the Attack?
Cisco has not yet released a software patch for the vulnerabilities, but it has provided some workarounds and detection methods for customers. The company recommends disabling the HTTP server feature on the devices or restricting access to it using access control lists or firewall rules. It also advises customers to check for any unauthorized accounts or processes on their devices using various commands and tools.
Cisco has also published indicators of compromise (IOCs) for the implant, such as file names, hashes, and network signatures. Customers can use these IOCs to scan their devices and networks for any signs of infection. Additionally, customers can use Cisco Secure Endpoint (formerly AMP for Endpoints) or Cisco Secure Network Analytics (formerly Stealthwatch) to detect and block the implant activity.
What are the Implications of this Attack?
This attack is a serious threat to the security and privacy of Cisco customers and their networks. It shows that even well-known and widely used devices can have critical vulnerabilities that can be exploited by skilled and persistent attackers. It also demonstrates the importance of applying security best practices, such as keeping software updated, disabling unnecessary features, and monitoring network activity.
The attack also raises questions about the origin and motive of the threat actor behind it. Who are they? What are they after? How long have they been active? How did they discover the vulnerabilities? These are some of the questions that security researchers and authorities will try to answer in the coming days.
Conclusion
The Cisco zero-day vulnerability is a major security incident that affects tens of thousands of devices worldwide. It allows an attacker to install a malicious backdoor on vulnerable devices and gain full control over them. Customers should take immediate action to protect their devices from this attack and follow Cisco’s guidance for detection and mitigation. They should also stay tuned for any updates from Cisco regarding a software fix for the vulnerabilities.