October 17, 2023 at 09:20AM
Attackers have exploited a critical zero-day bug to compromise and infect Cisco IOS XE devices with malicious implants. Threat intelligence company VulnCheck found thousands of compromised hosts. Cisco has advised administrators to disable the vulnerable HTTP server feature and look for breach indicators. A patch is not yet available.
Key takeaways from the meeting notes are as follows:
1. Attackers have exploited a critical zero-day bug (CVE-2023-20198) to compromise and infect numerous Cisco IOS XE devices with malicious implants.
2. The vulnerability has been extensively exploited to target Cisco IOS XE routers and switches with the enabled Web User Interface (Web UI) feature and either HTTP or HTTPS Server feature toggled on.
3. Threat intelligence company VulnCheck has identified thousands of compromised and infected hosts through scanning internet-facing Cisco IOS XE web interfaces.
4. Privileged access on the IOS XE allows attackers to monitor network traffic, pivot into protected networks, and perform man-in-the-middle attacks.
5. While a patch is not yet available, organizations should disable the web interface and remove all management interfaces from the internet to protect their systems.
6. Cisco recommends applying mitigation measures, such as disabling the vulnerable HTTP server feature on all internet-facing systems, until a patch is released.
7. Cisco detected the attacks in late September and observed the creation of local user accounts named “cisco_tac_admin” and “cisco_support” by the attackers.
8. The attackers deployed malicious implants to execute arbitrary commands on compromised devices.
9. Administrators should look for suspicious or recently created user accounts as potential indicators of malicious activity related to this threat.
10. In addition to the current zero-day vulnerability (CVE-2023-20198), Cisco customers were previously cautioned to patch another zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software.