October 17, 2023 at 03:19PM
Thousands of Internet exposed Cisco IOS XE devices have been infected by a threat actor exploiting an unpatched vulnerability. Cisco has disclosed the flaw, which allows arbitrary code execution, with a severity rating of 10 out of 10. The attacks have a global footprint and the compromised systems all have the same implant, suggesting a single threat actor is behind the attacks. Cisco has recommended organizations disable the HTTPS Server feature or use access lists to mitigate the threat. Cisco is working to provide a software fix.
Summary:
A threat actor has infected thousands of Internet-exposed Cisco IOS XE devices with an implant that allows arbitrary code execution. The implant exploits an unpatched maximum severity vulnerability in the Web UI component of IOS XE, identified as CVE-2023-20198. The attacker gains administrator privileges on the devices and deploys a Lua-language implant using an older remote code execution flaw (CVE-2021-1435) as a patch bypass. The scope of the infections is larger than initially reported, with at least 10,000 affected devices identified. The attacks appear to have a global footprint, with IPs from various countries. The nature of the attacks suggests a targeted approach, but the high number of exploited systems indicates an indiscriminate strategy. It is likely that a single threat actor is behind the attacks. Cisco has not released a patch yet but recommends disabling the HTTPS Server feature or using access lists to mitigate the threat. The company is working on providing a software fix and encourages customers to implement the steps outlined in their security advisory.
Please refer to the security advisory and Talos blog for more details and updates.