The number of Cisco devices hacked through the exploitation of two new zero-day vulnerabilities remains very high, but recent scans appeared to show a significant drop due to the attackers updating their implant.
Unidentified hackers have been exploiting the Cisco IOS XE vulnerabilities tracked as CVE-2023-20198 and CVE-2023-20273 to create high-privileged accounts on affected devices and deploy a Lua-based backdoor implant that gives them complete control of the system.
Patches are now available for both vulnerabilities.
Shortly after Cisco disclosed the existence of the first flaw, the cybersecurity community started scanning the internet for compromised devices and quickly found that as many as 50,000 switches and routers had the malicious implant.
A few days later, the scans showed that the number of hacked devices dropped to 100, with some speculating that the attackers were trying to hide the implant. The security community warned that many devices were likely still compromised, even if they did not show up during scans.
Cisco and others have confirmed that the attackers have updated the implant and compromised devices cannot be identified any longer using the initial scan method.
However, NCC Group-owned security firm Fox-IT found a new fingerprinting method and identified nearly 38,000 Cisco devices still hosting the implant.
Vulnerability intelligence firm VulnCheck has confirmed that thousands of devices are still under the attackers’ control.
Cisco has confirmed uncovering a new variant that “hinders identification of compromised systems”. This second version, which attackers started deploying on October 20, has roughly the same core functionality, but adds a preliminary check for a specific HTTP authorization header.
“The addition of the header check in the implant by the attackers is likely a reactive measure to prevent identification of compromised systems. This header check is primarily used to thwart compromise identification using a previous version of the curl command provided by Talos. Based on the information assessed to date, we believe the addition of the header check in the implant likely resulted in a recent sharp decline in visibility of public-facing infected systems,” Cisco explained.
The networking giant has shared indicators of compromise (IoCs) and instructions for checking whether a device has been hacked.
It’s worth noting that the implant deployed by the threat actor is not persistent — it gets removed if the device is rebooted — but the high-privileged account created through the exploitation of CVE-2023-20198 remains on the device even after it has been restarted.
This malicious campaign is reminiscent of the recent operation in which a China-linked APT targeted Barracuda ESG appliances. The attackers gained deep access to targeted systems, to the point where the vendor and the FBI urged victims to replace compromised devices.