October 19, 2023 at 07:06AM
Approximately 40,000 Cisco devices have been hacked through an unpatched vulnerability in the IOS XE. The vulnerability, identified as CVE-2023-20198, allows attackers to escalate privileges and gain control of the system. Cisco has not released patches and warns that the vulnerability has been exploited as a zero-day since mid-September. Vulnerability intelligence companies have detected compromised devices, and scans show tens of thousands are affected, with a majority in the United States. GreyNoise has observed attacks originating from 230 unique IP addresses.
Key takeaways from the meeting notes:
1. Around 40,000 Cisco devices have been hacked due to an unpatched IOS XE vulnerability.
2. The exploited vulnerability is CVE-2023-20198, which allows remote attackers to escalate privileges.
3. Cisco has not yet released patches for the vulnerability, which has been exploited since mid-September.
4. Attackers can create high-privileged accounts and take complete control of targeted devices.
5. An implant has been observed, enabling attackers to execute arbitrary commands.
6. The implant has been delivered via a known vulnerability (CVE-2021-1435) and possibly a previously unknown vulnerability.
7. VulnCheck conducted an internet scan and found 10,000 compromised switches and routers, with the number expected to increase.
8. Censys conducted scans and found 67,000 internet-exposed IOS XE web interfaces, with over 34,000 appearing to be backdoored.
9. The majority of compromised devices are in the United States, followed by the Philippines and Latin America. Other countries with significant infections include India, Thailand, Singapore, and Australia.
10. LeakIX initially reported the malicious implant on 30,000 Cisco devices but later discovered an additional 10,000 compromised systems.
11. GreyNoise has tracked attack attempts from 230 unique IP addresses using its honeypots.
Please let me know if you require any further information or assistance.