October 23, 2023 at 06:21PM
Cisco has released a patch for a critical bug in its IOS XE software that allowed criminals to exploit thousands of devices. However, the patch seems to be ineffective as the attackers have updated their implants to evade detection. A new variant of the implant hinders identification of compromised systems. The number of compromised devices dropped significantly, but the attackers modified the implant code, allowing them to maintain access to the compromised systems.
Key Takeaways from Meeting Notes:
1. Cisco has released a patch (software release 17.9.4a) to fix a critical bug in its IOS XE software that allowed criminals to hijack thousands of Cisco switches and routers.
2. However, the patch seems to have been largely useless as those who exploited the vulnerabilities upgraded the implant to evade detection.
3. New scanning methods show that thousands of devices still remain compromised.
4. Cisco has updated its security advisory to provide enhanced guidance for detecting the presence of the implant.
5. The implant developers have altered the code to check for an Authorization HTTP header value before responding, which has caused a decrease in the number of identified compromised systems.
6. Companies with a Cisco IOS XE WebUI exposed to the internet are advised to perform a forensic triage and can use a scanning and detection tool released by Fox-IT.
7. Security firms like VulnCheck continue to detect thousands of implanted devices, indicating that the attackers are still actively maintaining access to compromised systems.
8. It is surprising that the attackers modified the implant instead of abandoning the campaign, indicating that they are playing a game they can’t win.
9. The updated implant is seen as a short-term fix and may be replaced with a more stealthy implant in the future.