The number of Cisco IOS XE devices hacked with a malicious backdoor implant has mysteriously plummeted from over 50,000 impacted devices to only a few hundred, with researchers unsure what is causing the sharp decline.
This week, Cisco warned that hackers exploited two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, to hack over 50,000 Cisco IOS XE devices to create privileged user accounts and install a malicious LUA backdoor implant.
This LUA implant allows the threat actors to remotely execute commands at privilege level 15, the highest privilege level on the device.
However, this implant does not include persistence, meaning a reboot will remove the backdoor. However, any local users created during the attack will remain.
Since the release of this news, cybersecurity firms and researchers have found roughly 60,000 out of the 80,000 publicly exposed Cisco ISO XE devices to be breached with this implant.
Mysterious drop in detected Cisco implants
On Saturday, multiple cybersecurity organizations reported that the number of Cisco IOS XE devices with a malicious implant has mysteriously dropped from approximately 60,000 devices to only 100-1,200, depending on the different scans.
Onyphe Founder & CTO Patrice Auffret told BleepingComputer that he believes the threat actors behind the attacks are deploying an update to hide their presence, thus causing the implants to be no longer seen in scans.
“For the second day in a row, we see the number of implants have drastically dropped in a short time (see screenshots attached). Basically, they appear to have been practically all rebooted (as the known implant doesn’t survive a reboot) or have been updated.”
“We believe it is the action from the original threat actor which is trying to fix an issue that should not have been there from the beginning. The fact that the implant was so easy to detect remotely was a mistake from their side.
“They are probably deploying an update to hide their presence.”
Piotr Kijewski, the CEO of The Shadowserver Foundation, also told BleepingComputer that they have seen a sharp drop in implants since 10/21, with their scans only seeing 107 devices with the malicious implant.
“The implant appears to have been either removed or updated in some way,” Kijewski told BleepingComputer via email.
Another theory is that a grey-hat hacker is automating the reboot of impacted Cisco IOS XE devices to clear the implant. A similar campaign was seen in 2018 when a hacker claimed to have patched 100,000 MikroTik routers so they could not be abused for cryptojacking and DDoS campaigns.
However, Orange Cyberdefense CERT for the Orange Group told BleepingComputer that they do not believe that a grey-hat hacker is behind the decrease in implants but rather that this could be a new exploitation phase.
“Please note that a potential trace cleaning step is underway to hide the implant (following exploitation of #CVE-2023-20198),” tweeted Orange Cyberdefense CERT.
“Even if you have disabled your WebUI, we recommend that you carry out an investigation to make sure that no malicious users has been added and that its configuration has not been altered.”
Another possibility shared by security researcher Daniel Card is that the many devices breached with implants were simply a decoy to hide the real targets in attacks.
Unfortunately, all we have are theories at this time. Until Cisco or other researchers can examine a previously breached Cisco IOS XE device to see if they were simply rebooted or if new changes were made, there is no way to know what happened.
BleepingComputer has contacted Cisco with questions about the drop in implants but has not received a reply at this time.