October 18, 2023 at 07:00AM
Tens of thousands of Cisco devices have been hacked through a newly disclosed zero-day vulnerability, CVE-2023-20198. Cisco is working on a patch, but in the meantime, customers are advised to implement mitigations. The vulnerability allows attackers to gain elevated privileges and complete control over targeted systems. Cybersecurity companies have observed the exploit on over 10,000 compromised devices, with the actual number likely to be higher. A tool for scanning the malicious implant has been made available.
Key points from the meeting notes:
– Tens of thousands of Cisco devices have been hacked through a newly disclosed IOS XE zero-day vulnerability (CVE-2023-20198).
– Cisco is working on a patch for the vulnerability and has urged customers to implement mitigations in the meantime.
– The vulnerability allows remote, unauthenticated attackers to add level 15 access accounts, providing complete control over the targeted system.
– Cisco has observed two activity clusters involving exploitation of the vulnerability, carried out by the same threat actor.
– In some cases, the hackers delivered the malware by exploiting an older IOS XE vulnerability (CVE-2021-1435).
– Two cybersecurity companies, VulnCheck and LeakIX, reported seeing the malicious implant on tens of thousands of Cisco devices.
– VulnCheck conducted an internet scan and found over 10,000 compromised switches and routers, but the actual number is likely higher.
– LeakIX reported seeing the implant on roughly 30,000 Cisco devices, including many in the United States, Philippines, and Latin America.
– There are over 140,000 Cisco IOS XE devices exposing their web user interface according to a Shodan search.
– VulnCheck has released an open source tool for scanning the malicious implant.