“Disappearing” implants, followed by first fixes for exploited Cisco IOS XE zero-day
Cisco has released the first fixes for the IOS XE zero-day (CVE-2023-20198) exploited by attackers to ultimately deliver a malicious implant.
The fixes were made available on Sunday, but a curious thing happened the day before: several cybersecurity companies and organizations have noticed a drastic reduction in the number of internet-facing Cisco devices that saddled with the implant.
The reason behind that change is still unclear, but several theories have been put forward.
The attackers leveraged two zero-days (CVE-2023-20273)
On October 16, Cisco revealed that attackers have been spotted exploiting one previously unknown vulnerability (CVE-2023-20198) and an older one (CVE-2021-1435) in the web UI of Cisco IOS XE software to create highest-privilege accounts and install an implant/backdoor on internet-facing network devices.
On October 20, (i.e., past Friday), the company amended their findings and confirmed that the attackers did not, in fact, exploit CVE-2021-1435.
“It was investigated early on because a Snort signature fired early (it was seen in the telemetry), but as more information was gathered on the exploit it was determined it was not correlated,” a Cisco spokesperson told Help Net Security.
Instead, the attackers leveraged a zero-day (CVE-2023-20273) in another component of the WebUI feature to run the implant.
The implant is not able to persist a reboot, the company said, but the accounts created by the attackers must be revoked/invalidated by enterprise defenders to remove the possibility of renewed access by the threat actors.
CVE-2023-20198 fixes released
Cisco has shared indicators of compromise to help security teams detect whether their organizations’ devices have been compromised.
The first fixed release for Cisco IOS XE is now available, but fixes only CVE-2023-20198, the flaw that allows the creation of high-privilege accounts (i.e., admin accounts).
Until the other fixes are released, organizations are urged to disable the HTTP Server feature to eliminate the attack vector for these vulnerabilities.
Make sure your devices haven’t been compromised
After the public announcement of the attacks in progress, cybersecurity firms scanned the internet for reachable devices that appear to have the backdoor installed and found between 40,000 and 50,000 of them.
On Saturday, though, most of those implants couldn’t be detected anymore.
While it’s possible that many organizations have simply rebooted their Cisco devices to quickly remove the non-persistent implant, it’s unlikely that it happened so quickly and at such a scale.
CERT Orange Cyberdefense posited that someone has been cleaning up the implant’s traces on a massive scale. A coordinated action by the attackers – or maybe law enforcement or a white-hat hacker – seems the most plausible theory.
“We already received trusted intel about this cleaning step – but not on a massive way,” Orange Cyberdefense security experts noted.
“We have to assume that equipments where the implant was here till yesterday – but no longer today, are still corrupt – and are maybe in another exploitation stage,” they added, and advised organizations to investigate to make sure that no malicious users have been added to their devices and that their configuration has not been altered.
UPDATE (October 24, 2023, 03:20 a.m. ET):
After uncovering a new variant that hinders identification of compromised systems, Cisco has updated the security advisory with new guidance to detect the presence of the implant, a Cisco spokesperson told Help Net Security.
“[The implant] has been altered to check for an Authorization HTTP header value before responding,” Fox-IT researchers shared on Monday.
“This explains the much discussed plummet of identified compromised systems in recent days. Using a different fingerprinting method, Fox-IT identifies 37890 Cisco devices that remain compromised.”
UPDATE: October 31, 06:30 a.m. ET