October 23, 2023 at 05:07PM
Security researchers have observed a sharp decline in the number of infected Cisco IOS XE systems over the weekend. The reason behind this decline is that the attacker altered the implant, making it no longer visible via previous fingerprinting methods. However, nearly 38,000 devices remain compromised if one knows how to look for them. The attacker’s motivation for altering the implant remains puzzling.
During the latest development regarding a max-critical Cisco bug, security researchers have noticed a sharp decline in the number of infected Cisco IOS XE systems. The reason for this decrease is attributed to the attacker modifying the implant, making it undetectable through previous fingerprinting methods. The main bug in the Web UI of IOS XE allows unauthenticated, remote attackers to gain initial access and create persistent local user accounts on affected devices. Another zero-day exploit was also discovered during the investigation, which allows the attacker to elevate privileges to root and write an implant on the file system. Cisco released updated versions of IOS XE to address these vulnerabilities, but attackers had already taken advantage of unpatched systems. Despite the decline in visible compromised systems, around 38,000 devices remain compromised if someone knows where to look. The attacker altered the implant to check for an Authorization HTTP header value before responding, leading to the decline in identified compromised systems. It is advised for those who have exposed Cisco IOS XE WebUI to the internet to perform a forensic triage to identify compromised systems. The motivations of the attacker for altering the implant are unclear and unexpected, considering that many security companies are aware of its existence. It is speculated that this alteration may be a temporary solution until a more stealthy implant can be inserted. Cisco has provided guidance for detecting the implant and urges customers to implement the necessary security fixes.