Cisco is warning customers that a new zero-day vulnerability impacting the company’s IOS XE software is being exploited to hack devices.
The critical vulnerability is tracked as CVE-2023-20198 and it has been described as a privilege escalation issue impacting the IOS XE web user interface, which comes with the default image. A remote, unauthenticated attacker can exploit the vulnerability to create an account that has the highest privileges — level 15 access — and use it to take control of the device.
“With this level of access, an attacker can modify network routing rules as well as open ports for access to attacker controlled servers for data exfiltration,” warned Scott Caveza, staff research engineer at Tenable. “When the attacker has this level of control and makes an administrative account with an innocuous name, it’s possible their activity could go undetected for quite some time.”
The vulnerability can be exploited from the network or directly from the internet if the targeted device is exposed to the web.
In a blog post published on Monday, Cisco’s Talos unit revealed that the company became aware of attacks exploiting CVE-2023-20198 on September 28, when its Technical Assistance Center (TAC) investigated unusual behavior on a customer’s device.
Further analysis showed that the malicious activity, which involved the creation of a new user account named ‘cisco_tac_admin’, started as early as September 18.
This activity appeared to end on October 1, but Cisco again started seeing malicious activity — presumably conducted by the same threat actor — on October 12.
While the September activity did not involve other actions beyond the creation of a new account, in October the hackers also deployed an implant. This implant, consisting of a configuration file, allows the attacker to execute arbitrary commands at system or IOS level.
For interaction with the implant, a new web server endpoint needs to be created, and the implant is only activated if this web server is restarted, which did not happen in all cases observed by Cisco.
The threat actor delivered the implant by exploiting CVE-2021-1435, an IOS XE command injection vulnerability patched by Cisco in March 2021. However, the company has also seen the implant being installed on devices patched against CVE-2021-1435 and the delivery mechanism in this case remains unknown for the time being.
The networking giant also noted that the implant is not persistent — it’s removed when the device is rebooted — but the accounts created by the attackers remain even after the system has been restarted.
“Both [activity] clusters appeared close together, with the October activity appearing to build off the September activity. The first cluster was possibly the actor’s initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant,” Cisco said.
The company’s blog post does not say who may be behind these attacks.
Cisco is working on a patch for CVE-2023-20198. Until it becomes available, the vendor recommends that customers disable the HTTP Server feature on their internet-facing systems. The company has also shared a list of indicators of compromise (IoCs) that organizations can use to check whether their devices have been hacked.
The US cybersecurity agency CISA has added CVE-2023-20198 to its Known Exploited Vulnerabilities Catalog, instructing government organizations to deploy mitigations by October 20.