Cisco IOS XE Devices Under Siege: Widespread Hacks Exploit Critical Zero-Day Vulnerability

 

Cisco IOS XE Devices Under Siege: Widespread Hacks Exploit Critical Zero-Day Vulnerability

In a recent wave of cyber attacks, a critical zero-day vulnerability (CVE-2023-20198) has been exploited by attackers to compromise and infect numerous Cisco IOS XE devices. VulnCheck, a threat intelligence company, reports that the attacks have primarily targeted Cisco IOS XE routers and switches featuring the Web User Interface (Web UI) with the HTTP or HTTPS Server enabled.

VulnCheck's scan of internet-facing Cisco IOS XE web interfaces has identified thousands of compromised hosts, prompting the release of a specialized scanner to detect these malicious implants on affected devices.

Jacob Baines, CTO of VulnCheck, highlights the severity of the situation, noting that privileged access on IOS XE enables attackers to monitor network traffic, pivot into protected networks, and execute various man-in-the-middle attacks. As a precautionary measure, organizations using IOS XE systems are urged to assess potential compromises and take immediate action upon detection of implants.

While a patch is pending, Cisco advises organizations to protect themselves by disabling the web interface and removing all management interfaces from the internet. The disclosure by Cisco reveals that unauthenticated attackers can exploit the zero-day vulnerability to gain full administrator privileges, gaining remote control over affected devices.

Cisco first detected the CVE-2023-20198 attacks in late September after reports of unusual behavior on a customer device reached the Technical Assistance Center (TAC). Evidence suggests that attackers, creating local user accounts named "cisco_tac_admin" and "cisco_support," deployed malicious implants allowing the execution of arbitrary commands on compromised devices.

The company attributes the attacks to a single actor, indicating an initial testing phase in September, followed by an expansion of operations in October to establish persistent access through implant deployment. Administrators are strongly advised to scrutinize user accounts for signs of malicious activity and follow recommended mitigation measures.

This incident follows Cisco's earlier warning in September about another zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software, emphasizing the ongoing challenges in securing these widely-used systems. Stay informed and take proactive steps to protect your network against evolving cybersecurity threats.