Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cisco Finds Second Zero-Day as Number of Hacked Devices Apparently Drops

Cisco has found a second zero-day vulnerability that has been exploited in recent attacks as the number of hacked devices has started dropping.

Cisco vulnerability

Cisco has found a second actively exploited IOS XE zero-day vulnerability, with the company disclosing it just as the number of hacked devices appears to have dropped significantly.

The networking giant warned customers last week that threat actors have exploited a zero-day since at least mid-September. The critical flaw, tracked as CVE-2023-20198, affects the IOS XE web interface and it can be exploited by remote, unauthenticated attackers to create high-privileged accounts on targeted Cisco devices.

After creating new accounts on devices and gaining root privileges on the system, the attackers have been observed delivering a Lua-based implant that enables them to execute arbitrary commands. 

Cisco initially said the attackers exploited an older IOS XE command injection vulnerability tracked as CVE-2021-1435 to deploy the implant, but noted that it had also detected attacks on systems patched against this vulnerability, suggesting that another zero-day may be involved.

The company has now confirmed that a second zero-day has been exploited to deliver the implant. This new security hole is tracked as CVE-2023-20273.

“The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access,” Cisco explained in its advisory. “The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system.”

CVE-2021-1435 is no longer believed to be involved in these attacks, Cisco said.

When it first disclosed the attacks, Cisco only provided mitigations, but the company has now released patches for both vulnerabilities. However, in addition to installing the patches, organizations will need to perform other actions to clean up their systems. 

Advertisement. Scroll to continue reading.

Various cybersecurity companies have been scanning the internet for systems hacked as part of this campaign and at one point identified more than 40,000 compromised Cisco switches and routers, with some seeing as many as 53,000 devices.  

The cybersecurity community is now seeing a sharp drop in the number of infected devices, with the Shadowserver Foundation finding the backdoor on only 100 systems. 

CERT Orange Cyberdefense believes the attackers may be trying to hide the implant and warned that there are still likely many hacked devices, even if they no longer show up in scans.

It’s worth noting that while the account created via the exploitation of CVE-2023-20198 is persistent, the implant is not, and it gets removed when the device is rebooted.

No information is available on who may be behind these attacks or what their goal may be. 

The US cybersecurity agency CISA has released guidance for addressing CVE-2023-20198 and CVE-2023-20273. It has also added both vulnerabilities to its Known Exploited Vulnerabilities Catalog, instructing federal agencies to immediately address them.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

Breach and attack simulation solutions provider AttackIQ has appointed Pete Luban as Field Chief Information Security Officer.

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.