Rewterz Threat Update – CVE-2023-20198: Cisco IOS XE Zero-Day Exploit Infects 40,000 Devices

Severity

High

Analysis Summary

Over 40,000 Cisco devices that are running the IOS XE operating system have been infected after threat actors exploited a recently found critical vulnerability which is tracked as CVE-2023-20198.

There is still no patch or a workaround available yet, and the only recommendation for securing devices is by disabling the HTTP Server feature on all internet-facing systems. Devices that run Cisco IOS XE include industrial routers, enterprise switches, wireless controllers, access points, branch routers, and aggregation.

The initial estimate of infected devices using Cisco IOS XE was about 10,000, but the number grew rapidly when security analysists scanned the internet to find an accurate figure. Soon, it was found that the compromised devices exceeded over 30,000 without counting the rebooted systems.

Cisco provided indicators of compromise (IoCs) to find help with the research and find out about the successful exploitation of CVE-2023-20198 on an exposed device. This search led to the revelation of thousands of compromised devices in the United States, Chile, the Philippines, and Mexico.

– source

Researchers soon found on Wednesday that there were more than 34,500 Cisco IOS XE IP addresses having a malicious implant due to the exploitation of CVE-2023-20198. They also published a Python script that can scan for the presence of a malicious implant on a Cisco IOS XE network device. The number of compromised devices has now gotten up to 41,983.

Most of these devices, especially from the U.S., are from communication providers like Cox Communications, Comcast, Verizon, Google Fiber, and AT&T to name a few. Medical centers, school districts, universities, banks, hospitals, and government entities also have their Cisco IOS XE devices exposed online.

Cisco disclosed CVE-2023-20198 recently this Monday, but it has come to light that threat actors have been abusing it before 28^th September as a zero-day. Cisco has also updated its advisory to include new usernames and IP addresses.

One thing that researchers noted is that the threat actors use a malicious implant without any persistence and is removed after the device is rebooted. However, the new accounts it creates continue to be active with their level 15 privileges and full administrator access to the device.

Cisco’s analysts found out that the threat actor performs surveillance activity and collects details about the device. They also delete logs and remove users in an attempt to hide their activity. It is believed that these attacks are the work of a single threat actor, but the initial access method is unknown.

Impact

• Privilege Escalation
• Security Bypass
• Unauthorized Access

Remediation

• Refer to Cisco Security Advisory for patch, upgrade or suggested workaround information. 
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• It is important for organizations to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.