Cisco IOS XE devices were widely used in networking and telecommunications due to their advanced features and reliability.
They provided a scalable and modular operating system that supported various routing and switching functionalities.
IOS XE’s software design enabled the smooth integration of new technologies and services, making it a popular choice for business and service provider networks.
Cisco discovered active exploitation of a new vulnerability (CVE-2023-20198) in Cisco IOS XE software’s Web UI, impacting more than 50K devices with exposed HTTP/HTTPS Server features, both physical and virtual, on untrusted networks.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Attack Targeting Cisco IOS XE
Cisco researchers noted suspicious activity starting on September 18, with a case opening on September 28 due to unusual behavior.
This activity involved creating a user account, “cisco_tac_admin,” from a suspicious IP address (5.149.249[.]74) and ended on October 1, with no other observed associated actions at that time.
Cisco Talos IR and TAC identified a new cluster of unauthorized activity on October 12. An intruder created a “cisco_support” user from a suspicious IP (154.53.56[.]231).
Unlike September, this involved implant deployment (“cisco_service.conf”) for system-level commands. However, the implant failed to activate in one case.
The CVE-2023-20198 vulnerability, with a maximum CVSS score of 10, grants full admin access. The attacker then exploited CVE-2023-20273 to achieve root-level control and plant an implant. This secondary vulnerability has a CVSS score of 7.2.
Flaws Profile
- CVE ID: CVE-2023-20198
- CVSS Score: 10.0
- Severity: Critical
- Tracked By: CSCwh87343
- Workarounds: No workarounds available
- CVE ID: CVE-2023-20273
- CVSS Score: 7.2
- Severity: High
- Tracked By: CSCwh87343
- Workarounds: No workarounds available
After exploiting CVE-2023-20198, attackers leverage CVE-2023-20273 for command injection with root privileges and writing an implant.
The actor later conducts the device reconnaissance and attempts to cover their tracks by clearing logs and removing users.
Researchers strongly link these activities to a single actor. The removal of ‘cisco_tac_admin’ in October implies continuity from September.
The first cluster may have been a test, while October marks an expansion with the implant for persistent access.
Recommendation
Organizations at risk are urged to follow Cisco’s PSIRT advisory promptly. Watch for suspicious users on devices and use the provided command with ‘DEVICEIP’ as the device’s IP address to detect the implant.
The command checks for the implant’s presence by making a request to the device’s Web UI.
A hexadecimal string, as described earlier, indicates the implant’s presence. However, it’s only a sign of compromise if the actor restarts the web server after installation.
IOCs
- 5.149.249[.]74
- 154.53.56[.]231
- 154.53.63[.]93
Usernames:
- cisco_tac_admin
- cisco_support
- cisco_sys_manager
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.