October 17, 2023 at 04:49PM
More than 10,000 Cisco IOS XE devices have been compromised and infected with malicious implants through a zero-day bug. The vulnerability has been exploited in attacks on devices running Cisco IOS XE software with the Web User Interface feature and HTTP/HTTPS Server feature enabled. Security company VulnCheck has released a scanner to detect these implants and is urging organizations to disable the web interface and remove management interfaces from the internet until a patch is available. Cisco has advised administrators to disable the vulnerable HTTP server feature on internet-facing systems.
Key Takeaways from the Meeting Notes on Cisco IOS XE Zero-Day Bug Compromise:
1. Attackers have exploited a critical zero-day bug to compromise and infect over 10,000 Cisco IOS XE devices.
2. The affected products include enterprise switches, aggregation and industrial routers, access points, wireless controllers, and more.
3. The vulnerability (CVE-2023-20198) has been extensively exploited in attacks targeting Cisco IOS XE systems with the Web UI feature enabled and the HTTP or HTTPS Server feature toggled on.
4. Thousands of compromised and infected hosts have been discovered through a scanner released by threat intelligence company VulnCheck.
5. Privileged access on the compromised systems allows attackers to monitor network traffic, pivot into protected networks, and perform man-in-the-middle attacks.
6. Organizations using IOS XE systems are advised to determine if their systems have been compromised and take appropriate action. Disabling the web interface and removing management interfaces from the internet immediately can provide additional protection.
7. VulnCheck has fingerprinted approximately 10,000 implanted systems but is continuing their activities to scan more devices listed on platforms like Shodan/Censys.
8. A Shodan search currently shows over 140,000 Internet-exposed devices with Cisco Web UI enabled.
9. Cisco recommends applying mitigation measures, such as disabling the vulnerable HTTP server feature, until a patch is available.
10. Cisco detected the attacks in late September and observed the attackers creating local user accounts and deploying malicious implants on compromised devices.
11. Administrators should look for suspicious or recently created user accounts as potential signs of malicious activity.
12. In September, Cisco had also cautioned customers to patch another zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software, targeted by attackers.