Heimdal
article featured image

Contents:

Over 40,000 Cisco devices running the IOS XE operating system have been compromised after threat actors exploited a recently disclosed vulnerability, tracked as CVE-2023-20198.

At the time of writing this article, there is neither a fix nor a solution for the issue, so the customers are only advised to “disable the HTTP Server feature on all internet-facing systems”.

Tens of Thousands of Devices Have Been Exposed as a Result

Around 10,000 Cisco IOS XE machines were initially thought to have been compromised, but when security researchers searched the internet for a more precise number, the number of compromised devices began to rise.

Without including the rebooted systems, the LeakIX engine for indexing services and online apps exposed on the public web reported finding roughly 30,000 affected devices on Tuesday.

The search used Cisco’s indications of compromise (IoCs) to assess whether CVE-2023-20198 had been successfully exploited on an exposed device and turned up thousands of affected hosts in Chile, the Philippines, and the United States. On Wednesday, it was reported that more than 34,500 Cisco IOS XE IP addresses had a malicious implant as a result of exploiting CVE-2023-20198, using the same verification procedure from Cisco.

The Vulnerability Persists Even After the Device Is Rebooted

Although threat actors were using CVE-2023-20198 before September 28, when it was a zero-day, to set up a high-privilege account on vulnerable hosts and gain complete control of the device, Cisco just publicly revealed it on Monday.

New attacker IP addresses, identities, and rules for the Snort open-source network intrusion detection and intrusion prevention system were added to Cisco’s alert today.

Security researchers note that the threat actors behind the attack use a malicious implant, which does not have persistence and is removed after rebooting the device, however, the brand-new accounts that it assisted in making are nevertheless still in use and “have level 15 privileges”, meaning they have full administrator access to the device, so rebooting the device will not aid you.

According to Cisco’s investigation, the threat actor gathers information about the device and does initial reconnaissance work. Additionally, the attacker is deleting users and erasing records, most likely to conceal their activity.

It is currently believed that there is only one threat group behind the attack, but the initial delivery mechanism could not be determined. Cisco has not disclosed additional details about the attack, but it has promised to reveal more information when the investigation is complete and a fix is widely available.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE