Who is faster? A vendor fixing a newly discovered vulnerability or the hacking community’s change in tactics exploiting the vulnerability? That issue is playing out this week as Cisco released software updates to address an issue in the company’s IOS XE software.
Hackers quickly exploited the newly discovered critical zero-day bug to hijack thousands of Cisco switches and routers. Sunday, Cisco released free software updates that address the vulnerabilities causing these problems. In addition to the software update, Cisco strongly recommends that enterprises disable the HTTP Server feature on all internet-facing systems.
In a security advisory release on Monday, the company noted: "Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access," Cisco added. "The attacker can then use that account to gain control of the affected system."
Background on the vulnerability
The vulnerability, CVE-2023-20198, has been assigned a CVSS Score of 10 (out of 10). According to Cisco, “hackers exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination." In Cisco devices, privilege levels range from 1 to 15. A network manager with level 1 privileges can only access a handful of minor functions and commands. For instance, the manager could issue a "Ping" command. In contrast, level 15 privileges provide full access to all commands.
Those who accessed systems by exploiting the vulnerability were able to log in with normal user access. Many then exploited another issue, CVE-2023-20273, a second IOS XE zero-day vulnerability, to go from a new local user on a device and elevate that user's privileges to root. Once in a system at that level, they installed malware.
Censys, a cybersecurity company that provides internet-wide scanning data to enterprise threat hunting and exposure management efforts, found that, at one point last week, 41,983 systems had been infected due to the first zero-day exploit.
Outmaneuvering the Cisco fix
Updating the IOS XE software and disabling the HTTP Server feature should prevent additional system exploits. But what of the systems that are already infected?
The Cisco Talos Intelligence Group released a detailed explanation of what the malicious actors did when exploiting the vulnerabilities. It noted that once they gained gain privilege level 15 access to the device, created a local user, logged in with normal user access, and used that local user account to exploit the second vulnerability, they installed code (called an implant) to execute arbitrary commands at the system level or IOS level.
Over the last week, the number of compromised devices started to drop rapidly. Censys and others found that the number of devices fell to 1,200. Good news, right? Not really. Security firm Fox-IT noted that “the implant placed on tens of thousands of Cisco devices has been altered.” So, the hackers are hiding their work.