The threat actor modified the backdoor on Cisco devices by exploiting two zero-day vulnerabilities in the IOS XE software, making it harder to detect when using previous fingerprinting techniques.
Examination of network traffic to a compromised device revealed that the threat actor updated the implant to include additional header validation. As a result, the implant remains active on many devices, but now only responds if the correct authorization HTTP header is set.
These attacks involve the use of CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) to create an exploit chain that allows the threat actor to access the devices, create privileged accounts, and deploy a Lua-based implant on the devices.
Cisco has initiated the release of security updates to address these issues, with further updates planned for an undisclosed date.
The identity of the threat actor responsible for this campaign remains unknown, but it is estimated that thousands of devices are affected, based on data shared by VulnCheck and attack surface management company Censys. The infections appear to be widespread, and experts suspect that the attackers may be assessing the value of the compromised data.
In recent days there has been a significant drop in the number of compromised devices, from around 40,000 to just a few hundred. Speculation suggests that the threat actor may have made modifications to disguise the presence of the implant.
The discovery of modifications to the implant by Fox-IT explains this sudden drop and shows that over 37,000 devices are still compromised.
Cisco has acknowledged the change in behavior and provided instructions for verifying the presence of the implant using a curl command.
“If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present,” Cisco noted.
The addition of header validation in the implant is considered a defensive measure by attackers to evade detection of compromised systems. This header verification has significantly reduced the visibility of publicly infected systems.