hilalabdullah - stock.adobe.com

Cisco hackers likely taking steps to avoid identification

Cisco confirms that a drop in detections of devices compromised by two zero-days was likely the result of reactive measures taken by the threat actors to avoid discovery

Cisco has shed more light on speculation that has gathered around a sudden drop in the number of hosts known to have been infected with a malware implant delivered through two zero-day vulnerabilities in its IOS XE software platform.

Late last week, scans conducted by threat researchers found many tens of thousands of hosts had been compromised, but over the weekend these numbers fell dramatically.

This prompted much discussion in the security community as to whether or not the unnamed threat actor behind the intrusions was moving to cover their tracks in some way, or whether they had somehow screwed up their operation.

In an update published on Monday 23 October, Cisco’s Talos research unit said it had now observed a second version of the malicious implant – deployed using the first version – which retains most of the same functionality but now includes a preliminary check for an HTTP authorisation header.

“The addition of the header check in the implant by the attackers is likely a reactive measure to prevent identification of compromised systems,” explained the Talos team.

“This header check is primarily used to thwart compromise identification using a previous version of the curl command provided by Talos. Based on the information assessed to date, we believe the addition of the header check in the implant likely resulted in a recent sharp decline in visibility of public-facing infected systems.

“We have updated the curl command listed under our guidance advisory to help enable identification of implant variants employing the HTTP header checks,” they added.

Cisco continues to recommend that IOS XE users immediately implement its previously-published guidance, which still stands, and deploy the fixes outlined in its advisory, which became available on 22 October.

Meanwhile, the UK’s National Cyber Security Centre (NCSC) confirmed on 23 October that it was supporting a number of UK-based organisations known to have been affected, and was continuing to monitor the developing impact of the issues.

The NCSC is recommending following Cisco’s advice, paying particular attention to four priority actions:

  • Check for compromise using the detection methods and indicators of compromise (IoCs) from Cisco;
  • If affected (and UK-based), report this to the NCSC immediately;
  • Disable the HTTP server feature or restrict access to trusted networks on all internet-facing devices;
  • Upgrade to the latest version of Cisco IOS XE.

Network devices becoming popular targets

Jamie Brummell, chief technology officer at managed security services provider (MSSP) Socura, said that the targeting of Cisco appliances by malicious actors reflected broader trends and themes in the threat landscape.

“The Cisco zero-day continues the theme of threat actors targeting network appliances as a substitute for end-user devices.They are being forced to find alternatives to computers, smartphones and other employee devices which increasingly have EDR/EPP agents deployed,” he said.

“Network appliances, once exploited, are largely unprotected and their system logs are rarely monitored. They are often publicly accessible and have privileged access to the internal network. Even worse – especially with a router – they can be used to intercept or redirect traffic.

“Targeting a major company, like Cisco, could give attackers access to tens of thousands of endpoints. Good practice is to ensure access is limited to trusted sources, but in this case the exploitable web interface is enabled by default,” he added.

Read more about the Cisco IOS XE attacks

  • Cisco warns customers using its IOS XE software of a newly discovered vulnerability that could enable a threat actor to take over their systems.
  • VulnCheck said its public scanning for CVE-2023-20198 revealed that 'thousands' of internet-facing Cisco IOS XE systems have been compromised with malicious implants.
  • Researchers have identified spiking numbers of victims of a recently disclosed Cisco zero-day, as users of the networking supplier’s IOS XE software are urged to take defensive measures.
  • Cisco releases updates to thwart exploitation of two flaws affecting users of its IOS XE software.

Read more on Data breach incident management and recovery