The Evolution of Zero-Day Attacks: Cisco Devices Continue to Be Prime Targets

Malware & Threats: Number of Cisco Devices Hacked via Zero-Day Remains High as Attackers Update Implant

Introduction

The number of Cisco devices hacked through the exploitation of two new zero-day vulnerabilities remains very high, but recent scans appeared to show a significant drop due to the attackers updating their implant. Unidentified hackers have been exploiting the Cisco IOS XE vulnerabilities tracked as CVE-2023-20198 and CVE-2023-20273 to create high-privileged accounts on affected devices and deploy a Lua-based backdoor implant that gives them complete control of the system. While patches are now available for both vulnerabilities, the security community warns that many devices are likely still compromised, even if they did not show up during scans.

High Number of Hacked Devices

Shortly after Cisco disclosed the existence of the first flaw, the cybersecurity community started scanning the internet for compromised devices and quickly found that as many as 50,000 switches and routers had the malicious implant. However, a few days later, the scans showed that the number of hacked devices dropped to 100, with some speculating that the attackers were trying to hide the implant. The security community warned that many devices were likely still compromised, even if they did not show up during scans.

Updated Implant

Cisco and others have confirmed that the attackers have updated the implant, making it difficult to identify compromised devices using the initial scan method. However, NCC Group-owned security firm Fox-IT found a new fingerprinting method and identified nearly 38,000 Cisco devices still hosting the implant. Vulnerability intelligence firm VulnCheck has also confirmed that thousands of devices are still under the attackers’ control.

New Variant Hindering Identification

Cisco has confirmed uncovering a new variant that “hinders the identification of compromised systems”. This second version, deployed by the attackers on October 20, has similar core functionality to the previous version but adds a preliminary check for a specific HTTP authorization header. Cisco believes that the addition of this header check in the implant is a reactive measure to prevent the identification of compromised systems. It is likely that this change resulted in a recent sharp decline in the visibility of public-facing infected systems. Cisco has shared indicators of compromise (IoCs) and instructions for checking whether a device has been hacked.

Analysis and Editorial

This ongoing attack campaign targeting Cisco devices highlights the ever-evolving nature of cyber threats and the challenges faced by organizations to detect and mitigate them. The fact that the attackers quickly updated their implant, making it harder to identify compromised systems, demonstrates their sophisticated understanding of security vulnerabilities and their ability to adapt in real-time.

Furthermore, the high number of initially compromised devices (50,000 switches and routers) and the ongoing presence of the implant on thousands of devices indicate the scale and severity of the attack. Organizations using Cisco devices should take this incident as a wake-up call to reassess their network security practices, patch vulnerabilities promptly, and implement robust monitoring systems to detect any signs of compromise.

Advice for Organizations

To protect against these types of attacks, organizations should follow these recommendations:

1. Patch Vulnerabilities:

Make sure to promptly apply security patches released by vendors, such as Cisco. This will help mitigate the risks associated with known vulnerabilities and reduce the chances of being targeted by attackers exploiting zero-day flaws.

2. Implement Network Segmentation:

Segmenting the network can limit the impact of a compromise. By separating critical systems from less sensitive ones, organizations can minimize the potential damage and make it harder for attackers to move laterally within the network.

3. Employ Network Monitoring and Intrusion Detection Systems:

Deploy comprehensive network monitoring and intrusion detection systems to detect any suspicious activities or indicators of compromise. This will allow organizations to identify potential breaches and respond promptly to mitigate the impact.

4. Conduct Regular Security Audits:

Regularly audit network devices for any signs of compromise or unauthorized access. This includes checking for the presence of unexpected accounts, unfamiliar configurations, or suspicious traffic patterns. It’s important to use reliable security tools and follow best practices to ensure thorough and accurate assessments.

Conclusion

The ongoing attack campaign targeting Cisco devices highlights the need for organizations to prioritize network security and take proactive measures to protect their infrastructure. By promptly patching vulnerabilities, implementing network segmentation, employing robust monitoring systems, and conducting regular security audits, organizations can reduce the risk of compromise and stay one step ahead of attackers. However, it’s important to remember that cybersecurity is a continuous process, and organizations need to remain vigilant and adaptive to the evolving threat landscape.