IOS XE zero-day attacks compromised around 10,000 Cisco devices


By MYBRANDBOOK


IOS XE zero-day attacks compromised around 10,000 Cisco devices

Over 10,000 Cisco IOS XE devices have been compromised by attackers who used a key zero-day defect that was just recently made public in order to implant malware. Enterprise switches, aggregation and industrial routers, access points, wireless controllers, and other items are among the equipment running Cisco IOS XE software.   

 

As per threat intelligence company VulnCheck, the maximum severity vulnerability (CVE-2023-20198) has been extensively exploited in attacks targeting Cisco IOS XE systems with the Web User Interface (Web UI) feature enabled, that also have the HTTP or HTTPS Server feature toggled on. 

 

VulnCheck scanned internet-facing Cisco IOS XE web interfaces and discovered thousands of infected hosts. The company has also released a scanner to detect these implants on affected devices. 

 

Cisco cautioned administrators to disable the vulnerable HTTP server feature on all internet-facing systems until a patch becomes available. 

 

Cisco detected the CVE-2023-20198 attacks in late September following reports of unusual behavior on a customer device received by Cisco's Technical Assistance Center (TAC). Evidence of these attacks' dates back to September 18, when the attackers were observed creating local user accounts named "cisco_tac_admin" and "cisco_support." 

 

Moreover, the attackers deployed malicious implants using CVE-2021-1435 exploits and other unknown methods, enabling them to execute arbitrary commands at the system or IOS levels on compromised devices. 

 

"We assess that these clusters of activity were likely carried out by the same actor. Both clusters appeared close together, with the October activity appearing to build off the September activity. The first cluster was possibly the actor's initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant," Cisco said. 

 

The company also issued a "strong recommendation" for administrators to look for suspicious or recently created user accounts as potential signs of malicious activity linked to this threat.

 E-Magazine 
 VIDEOS  Placeholder image

Copyright www.mybrandbook.co.in @1999-2024 - All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.
Other Initiatives : www.varindia.com | www.spoindia.org