Three days after Cisco disclosed details of a dangerous zero-day in its IOS XE software, known compromises appear to be rising at a rapid rate, with thousands of victims, many of them high-profile telecoms companies, beginning to be identified.
CVE-2023-20198 enables a remote, unauthenticated attacker to set up an account on a vulnerable system with elevated privileges, which they can then use to take over the victim’s systems. Affected customers will all have enabled the web UI feature through the ip http server or ip http secure-server commands.
It was uncovered by Cisco’s teams while responding to tech support tickets, but not before an as-yet undisclosed threat actor or actors exploited it to deploy an implant enabling them to execute arbitrary commands at system or IOS level.
According to threat intelligence provided by Censys, a threat-hunting and exposure-management specialist, the number of infections spiked by over 7,000 in the space of 24 hours from 17 to 18 October, rising from 34,140 to 41,983 compromised hosts out of a total of 67,445 it identified as using the vulnerable service.
Censys said the majority of these hosts are located in the US, with approximately 6,509 infections, followed by the Philippines, Mexico and Chile. There are also over 1,000 infected hosts apiece in India, Peru, Thailand, Brazil and Singapore. Contacted by Computer Weekly, Censys said its scans had identified 673 infections in the UK as of 18 October.
Others say the scale of the compromise may be even greater. Our sister title, TechTarget Security, cited Netlas.io, which said it had seen over 80,000 exposed and vulnerable hosts as of the morning of Tuesday 17 September.
Writing in a blog post on 17 September, VulnCheck’s Jacob Baines said: “Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted. VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.”
All victims great and small
The Censys research team additionally shared data on the most impacted organisations, finding evidence that major communications services providers (CSPs) around the world, in particular Asia-Pacific and Latin America, are bearing the brunt of the problem. This may magnify the impact down the supply chain to their customers, they warned.
“What characteristics do most of these … systems share? They predominantly represent telecommunications companies offering internet services to both households and businesses,” said the Censys team.
“As a result, the primary targets of this vulnerability are not large corporations but smaller entities and individuals who are more susceptible.”
Meanwhile, the US Cybersecurity and Infrastructure Security Agency has added CVE-2023-20198 to its Known Exploited Vulnerabilities catalogue, obliging US federal bodies to take steps to mitigate its impact or discontinue usage of the affected software altogether by Friday 20 October.
Users have until 9 November to address a different, older vulnerability tracked as CVE-2021-1435, that is being chained to deliver the malicious implant.