Network Security, Vulnerability Management, Application security

Cisco patches critical IOS XE bug as infections mysteriously disappear

Cisco Systems has released fixes for a pair of zero-day vulnerabilities – one of them critical – that could impact tens of thousands of devices running the company’s IOS XE software.

The releases arrived at the end of a tumultuous week which began on Oct. 16 with the network vendor announcing it had discovered a maximum severity bug with a CVSS score of 10. The bug had been exploited since at least Sept. 28 to take full control of the Web User Interface (Web UI) in internet-exposed Cisco devices.

In the following days security researchers discovered tens of thousands of routers and switches had been compromised through what Cisco discovered was in fact an exploit chain involving two zero-day vulnerabilities.

Over the weekend, ahead of Sunday’s release of fixed software (available through the Cisco Software Download Center), researchers’ scans revealed the number of hacked devices had mysteriously dropped. This prompted speculation over what had caused thousands of devices to suddenly appear uninfected.

One zero-day becomes two

Cisco’s Oct. 16 advisory said the initially discovered maximum severity vulnerability, tracked as CVE-2023-20198, allowed attackers to create an account on the affected device with privilege level 15 access, the highest level possible.

“The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access,” Cisco said in an update of the advisory published on Oct. 20.

A second vulnerability enabled the deployment of a Lua-based backdoor implant onto compromised devices.

“The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the [Lua] implant to the file system,” the advisory said.

The second vulnerability, tracked as CVE-2023-20273, was assigned a CVSS score of 7.2.

“The implant is not persistent – meaning a device reboot will remove it – but the newly created local user accounts remain active even after system reboots,” researchers from Cisco Talos said in a post.

“The new user accounts have level 15 privileges, meaning they have full administrator access to the device.”

The threat group responsible for exploiting the vulnerabilities has not been identified.

Malware mysteriously disappears

Over the weekend, researchers scanning vulnerable Cisco devices noticed a significant drop in the number that appeared to be affected, compared to earlier in the week.

In a post on X (formerly Twitter), ONYPHE said its scanning found 1214 unique compromised IP addresses on Saturday, down from over 40,000 the previous day.

“We still have roughly the same number of reachable Cisco devices (~60k), but most of them do not show the Talos discovered implant remotely as before,” the post said.

While there are a number of possible explanations for the decline, CERT Orange Cyberdefense said on X it could be “a potential trace cleaning step is underway [by the threat actor] to hide the implant”. Another possibility is that a cybersecurity or law enforcement agency, or Cisco, or another party, rebooted the devices en masse to remove the implant. Similar operations have been conducted against threat groups previously: in August the FBI untethered 700,000 computers from the Qakbot botnet.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.