0-Day In Cisco IOS XE Software Is Under Attack

Unidentified hackers are exploiting a previously unknown vulnerability which allows them to take full control of internet-exposed Cisco devices running the company’s IOS XE software.

Cisco revealed the zero-day bug, impacting the software’s Web User Interface (Web UI) feature, in an Oct. 16 Security Advisory and provided additional background and guidance in a Cisco Talos blog post.

The critical vulnerability, tracked as CVE-2023-20198, has the highest possible CVSS v3 severity rating of 10. It affects both physical and virtual devices running IOS XE when they are exposed to the internet and have the HTTP or HTTPS Server feature enabled. 

“Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access [the highest possible level], effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity,” the Cisco Talos post said.

The company said it “strongly recommends” customers disable the HTTP Server feature on all internet-facing systems and check for malicious activity in the form of unexplained or newly created users on its devices. A patch for the bug is not yet available.

The Cybersecurity and Infrastructure Security Agency (CISA) issued its own alert regarding the vulnerability and added it to the Known Exploited Vulnerabilities (KEV) Catalog, giving U.S. Federal Civilian Executive Branch government agencies until Oct. 20 to apply mitigations.

Exploit activity first seen a month ago

Cisco Talos said potentially malicious activity related to the vulnerability first emerged on Sept. 28 when a case was opened with Cisco’s Technical Assistance Center (TAC) that identified unusual behavior on a customer device.

“Upon further investigation, we observed what we have determined to be related activity as early as September 18,” Cisco Talos said in its post.

“The activity included an authorized user creating a local user account under the username ‘cisco_tac_admin’ from a suspicious IP address.”

On Oct. 12, TAC and Cisco Talos’ incident response team observed a second “cluster” of related activity including the creation of a local user account called “cisco_support” by an unauthorized user from a second suspicious IP address. Subsequent activity included the deployment of an implant consisting of a configuration file (“cisco_service.conf”).

The configuration file defined a new web server endpoint (URI path) used to interact with the implant, allowing the threat actor to execute arbitrary commands at the system or IOS level, Cisco Talos said.

“We assess that these clusters of activity were likely carried out by the same actor. Both clusters appeared close together, with the October activity appearing to build off the September activity,” Cisco Talos’ researchers wrote.

“The first cluster was possibly the actor’s initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant.”

Threat actors and network infrastructure bugs

Viakoo Labs vice president John Gallagher said the vulnerability appeared to be tied to another Cisco IOS and IOS XE vulnerability, CVE-2023-20109, which CISA added to the KEV Catalog on Oct. 10.

“Likely there are other vulnerabilities at play here as well, as creation of malicious accounts is often part of a larger strategy,” Gallagher said.

In April, Cisco said it was “deeply concerned” about a spike in attacks on network infrastructure attributed to state-sponsored espionage groups.

Last month U.S. and Japanese security and law enforcement agencies said China-linked threat actor BlackTech infiltrated the corporate networks of multinational businesses through a series of elaborate attacks that included modifying Cisco router firmware.

“Network devices have always been a highly sought after target by nation state actors who wish to engage in espionage activity and this [new IOS XE] vulnerability gives that class of an attacker the perfect tool to subtly start manipulating network traffic,” said Netenrich principal threat hunter John Bambenek.

READ MORE HERE