Lucene search

K
thnThe Hacker NewsTHN:2FAA34DD1D4694A20A9DB2DBE196DFD2
HistoryOct 24, 2023 - 6:33 a.m.

Backdoor Implanted on Hacked Cisco Devices Modified to Evade Detection

2023-10-2406:33:00
The Hacker News
thehackernews.com
99
cisco devices
backdoor implant
zero-day flaws
threat actor
cve-2023-20198
cve-2023-20273
ios xe software
fingerprinting methods
security updates
compromised devices
vulnerabilities
mass hacks
behavioral change
authorization http header

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.915 High

EPSS

Percentile

98.9%

Hacked Cisco Devices

The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods.

“Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check,” NCC Group’s Fox-IT team said. “Thus, for a lot of devices, the implant is still active, but now only responds if the correct Authorization HTTP header is set.”

The attacks entail fashioning CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) into an exploit chain that grants the threat actor the ability to gain access to the devices, create a privileged account, and ultimately deploy a Lua-based implant on the devices.

Cybersecurity

The development comes as Cisco began rolling out security updates to address the issues, with more updates to come at an as-yet-undisclosed date.

The exact identity of the threat actor behind the campaign is currently not known, although the number of affected devices is estimated to be in the thousands, based on data shared by VulnCheck and attack surface management company Censys.

“The infections look like mass hacks,” Mark Ellzey, Senior Security Researcher at Censys, told The Hacker News. “There may be a time when the hackers go through what they have and figure out if anything is worth anything.”

However, the number of compromised devices plummeted over the past few days, declining from roughly 40,000 to a few hundred, leading to speculations that there may have been some under-the-hood changes to hide its presence.

The latest alterations to the implant discovered by Fox-IT explain the reason for the sudden and dramatic drop, as more than 37,000 devices have been observed to be still compromised with the implant.

Cybersecurity

Cisco, for its part, has confirmed the behavioral change in its updated advisories, sharing a curl command that can be issued from a workstation to check for the presence of the implant on the devices -

> curl -k -H “Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb” -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1

“If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present,” Cisco noted.

“The addition of the header check in the implant by the attackers is likely a reactive measure to prevent identification of compromised systems,” the company added. “This header check is primarily used to thwart compromise identification, [and] likely resulted in a recent sharp decline in visibility of public-facing infected systems.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.915 High

EPSS

Percentile

98.9%