Article Details
Scrape Timestamp (UTC): 2023-10-24 06:38:36.346
Source: https://thehackernews.com/2023/10/backdoor-implant-on-hacked-cisco.html
Original Article Text
Click to Toggle View
Backdoor Implant on Hacked Cisco Devices Modified to Evade Detection. The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices, the implant is still active, but now only responds if the correct Authorization HTTP header is set." The attacks entail fashioning CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) into an exploit chain that grants the threat actor the ability to gain access to the devices, create a privileged account, and ultimately deploy a Lua-based implant on the devices. The development comes as Cisco began rolling out security updates to address the issues, with more updates to come at an as-yet-undisclosed date. The exact identity of the threat actor behind the campaign is currently not known, although the number of affected devices is estimated to be in the thousands, based on data shared by VulnCheck and attack surface management company Censys. "The infections look like mass hacks," Mark Ellzey, Senior Security Researcher at Censys, told The Hacker News. "There may be a time when the hackers go through what they have and figure out if anything is worth anything." However, the number of compromised devices plummeted over the past few days, declining from roughly 40,000 to a few hundred, leading to speculations that there may have been some under-the-hood changes to hide its presence. The latest alterations to the implant discovered by Fox-IT explain the reason for the sudden and dramatic drop, as more than 37,000 devices have been observed to be still compromised with the implant. Cisco, for its part, has confirmed the behavioral change in its updated advisories, sharing a curl command that can be issued from a workstation to check for the presence of the implant on the devices - "If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present," Cisco noted.
Daily Brief Summary
Threat actors have upgraded a backdoor created by exploiting two zero-day flaws in Cisco devices, making it capable of evading previous fingerprinting detection methods.
The backdoor responds only if the correct Authorization HTTP header has been set, indicating a level of sophistication on the part of the hackers.
The exploit chain, which uses two vulnerabilities (CVE-2023-20198 and CVE-2023-20273), allows the threat actors to gain access to the devices, create a privileged account, and install a Lua-based implant.
While Cisco has started security updates, an estimated thousands of devices remain at risk, with more than 37,000 known to have been compromised.
A recent sudden drop in the number of compromised devices has been attributed to modifications that hide the backdoor's presence, rather than a reduction in attacks.
The identity of the threat actor involved is not yet known, with observed infections suggesting a large-scale, indiscriminate hacking operation.
Cisco has now detailed a detection method for the modified backdoor in its updated advisories.