October 22, 2023 at 01:42PM
The number of Cisco IOS XE devices hacked with a malicious backdoor implant has dramatically decreased from over 50,000 to only a few hundred. It is unclear why this decline has occurred, with researchers speculating that the threat actors may have deployed an update to hide their presence or a grey-hat hacker is rebooting the devices to clear the implant. The exact cause remains unknown.
Key points from the meeting notes:
– The number of Cisco IOS XE devices hacked with a malicious backdoor implant has significantly decreased from over 50,000 impacted devices to only a few hundred.
– Cisco warned about the exploitation of two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, which allowed hackers to create privileged user accounts and install a malicious LUA backdoor implant.
– The implanted LUA allows threat actors to remotely execute commands at the highest privilege level.
– While the implant does not persist after a reboot, any local users created during the attack remain.
– Cybersecurity firms and researchers have found approximately 60,000 publicly exposed Cisco ISO XE devices breached with the implant.
– The sudden decline in the number of devices with the implant is believed to be caused by the threat actors deploying an update to hide their presence or conducting trace cleaning.
– An alternative theory suggests that a grey-hat hacker may be automating the reboot of impacted devices to clear the implant.
– It is unclear whether the implants were simply rebooted or if new changes were made.
– Cisco has been contacted for more information but has not responded yet.