October 24, 2023 at 01:03PM
A significant number of Cisco devices have been hacked through two zero-day vulnerabilities, with the attackers updating their implant to maintain control. Initially, as many as 50,000 devices were found to have the implant, but that number has dropped. However, security experts warn that many compromised devices may still exist. Patches for the vulnerabilities are available, and indicators of compromise have been shared by Cisco. The implant is not persistent, but a high-privileged account created through the exploitation remains. The attack is similar to a recent operation targeting Barracuda ESG appliances.
Key takeaways from the meeting notes:
1. Unidentified hackers have been taking advantage of two new zero-day vulnerabilities in Cisco devices, namely CVE-2023-20198 and CVE-2023-20273.
2. These vulnerabilities allow the attackers to create high-privileged accounts on the affected devices and deploy a Lua-based backdoor implant, giving them complete control of the system.
3. Recent scans have shown a significant drop in the number of hacked devices, possibly due to the attackers updating their implant.
4. Patches are now available for both vulnerabilities.
5. Initial scans revealed that around 50,000 switches and routers were compromised, but subsequent scans have shown that the number dropped to 100, with speculation that the attackers were attempting to hide the implant.
6. Despite the decrease in numbers, security experts warn that many devices are likely still compromised even if they don’t appear during scans.
7. A new fingerprinting method by Fox-IT has identified nearly 38,000 Cisco devices still hosting the implant.
8. VulnCheck, a vulnerability intelligence firm, confirms that thousands of devices are still under the attackers’ control.
9. Cisco has discovered a new variant of the implant that hinders the identification of compromised systems. It adds a preliminary check for a specific HTTP authorization header.
10. The implant deployed by the threat actors is not persistent and gets removed upon device reboot. However, the high-privileged account created through CVE-2023-20198 remains on the device even after restart.
11. The campaign is similar to a recent operation targeting Barracuda ESG appliances, where China-linked APT gained deep access to systems, necessitating device replacement.
12. Cisco has shared indicators of compromise (IoCs) and instructions for checking if a device has been hacked.