October 24, 2023 at 05:45AM
The threat actor behind the recent Cisco device backdoor attack has modified the implant to avoid detection through previous fingerprinting methods. The attacks exploit zero-day vulnerabilities, allowing the actor to gain access to devices and deploy a Lua-based implant. Cisco is rolling out security updates, but the exact identity of the threat actor remains unknown. The number of compromised devices has significantly decreased due to recent modifications.
Key Takeaways from the Meeting:
– Cisco devices have been targeted by a threat actor who exploited zero-day flaws in IOS XE software.
– The threat actor has modified the backdoor on the devices to escape detection.
– The implant now responds only if the correct Authorization HTTP header is set.
– The attacks use CVE-2023-20198 and CVE-2023-20273 to gain access, create a privileged account, and deploy a Lua-based implant.
– Cisco has started rolling out security updates to address the issues.
– The identity of the threat actor is unknown, but thousands of devices are estimated to be affected.
– The number of compromised devices has recently decreased, possibly due to changes made by the threat actor to hide their presence.
– Cisco has confirmed the changes and provided a curl command to check for the presence of the implant on devices.
Please note that this information is based on the meeting notes provided and may not represent the complete picture.