Cisco has found a second actively exploited IOS XE zero-day vulnerability, with the company disclosing it just as the number of hacked devices appears to have dropped significantly.
The networking giant warned customers last week that threat actors have exploited a zero-day since at least mid-September. The critical flaw, tracked as CVE-2023-20198, affects the IOS XE web interface and it can be exploited by remote, unauthenticated attackers to create high-privileged accounts on targeted Cisco devices.
After creating new accounts on devices and gaining root privileges on the system, the attackers have been observed delivering a Lua-based implant that enables them to execute arbitrary commands.
Cisco initially said the attackers exploited an older IOS XE command injection vulnerability tracked as CVE-2021-1435 to deploy the implant, but noted that it had also detected attacks on systems patched against this vulnerability, suggesting that another zero-day may be involved.
The company has now confirmed that a second zero-day has been exploited to deliver the implant. This new security hole is tracked as CVE-2023-20273.
“The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access,” Cisco explained in its advisory. “The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system.”
CVE-2021-1435 is no longer believed to be involved in these attacks, Cisco said.
When it first disclosed the attacks, Cisco only provided mitigations, but the company has now released patches for both vulnerabilities. However, in addition to installing the patches, organizations will need to perform other steps to clean up their systems.
Various cybersecurity companies started scanning the internet for systems hacked as part of this campaign and at one point identified more than 40,000 compromised Cisco switches and routers, with some seeing as many as 53,000 devices.
The cybersecurity industry is now seeing a sharp drop in the number of infected devices, with the Shadowserver Foundation finding the backdoor on only 100 systems.
CERT Orange Cyberdefense believes the attackers may be trying to hide the implant and warned that there are still likely many hacked devices, even if they no longer show up in scans.
It’s worth noting that while the account created via the exploitation of CVE-2023-20198 is persistent, the implant is not, and it gets removed when the device is rebooted.
No information is available on who may be behind these attacks or what their goal may be.
The US cybersecurity agency CISA has released guidance for addressing CVE-2023-20198 and CVE-2023-20273. It has also added both vulnerabilities to its Known Exploited Vulnerabilities Catalog, instructing federal agencies to immediately address them.