According to Cisco’s Monday advisory, this vulnerability allows remote, unauthenticated attackers to create an account on a vulnerable system with full access at privilege level 15. Subsequently, they can use this account to take control of the compromised system. This issue affects both physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS server feature enabled. As a precaution, it is strongly recommended to disable the HTTP server feature on systems exposed to the internet.

Cisco first noticed the problem when suspicious activities were observed on an unspecified customer’s device on September 18, 2023. In this incident, an authorized user from an unusual IP address created a local user account named “cisco_tac_admin.” This abnormal activity ceased on October 1, 2023. On October 12, 2023, a second group of similar activities was detected, with an unauthorized user creating a local user account named “cisco_support” from a different IP address. This was followed by a series of actions leading to the deployment of a Lua-based implant that allowed the attacker to execute arbitrary commands at the system or IOS level.

The installation of this implant involves exploiting CVE-2021-1435, a previously patched vulnerability in the web UI of Cisco IOS XE software, as well as an unspecified mechanism in cases where the system is fully patched against CVE-2021-1435. To activate the implant, the web server needs to be restarted, although in at least one observed instance, the server was not restarted, and the implant remained inactive. The backdoor, located under “/usr/binos/conf/nginx-conf/cisco_service.conf,” is not persistent, meaning it will not survive a device restart. However, the rogue privileged accounts created during the compromise remain active.

Although Cisco attributed both activity groups to the same threat actor, the exact origins of the attacker remain unclear. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning and added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog.

In April 2023, British and U.S. cybersecurity and intelligence agencies warned of state-sponsored campaigns targeting global network infrastructure. Cisco emphasized that router and switch devices are attractive targets for attackers seeking a low profile and access to critical intelligence capabilities and a preferred network.

Update: A recent report from VulnCheck shows that attackers have exploited CVE-2023-20198 to compromise and infect numerous Cisco IOS XE devices with malicious implants. VulnCheck has also released a scanner to detect the implant on affected devices. Security researcher Jacob Baines expressed concern about this situation, as privileged access to IOS XE likely gives attackers the ability to monitor network traffic, infiltrate protected networks, and execute various man-in-the-middle attacks.

Furthermore, the Attack Surface Management company Censys has identified 41,983 devices exhibiting signs of compromise and the installation of the backdoor, with the majority of infections occurring in the U.S., followed by several other countries. Cisco has issued a statement emphasizing its commitment to transparency and is diligently working on a software solution. Customers are strongly urged to follow the recommendations outlined in the security advisory, and Cisco will continue to provide updates in the same advisory. Additional details can be found in the security advisory and the Talos blog.

The company clarified that this data did not originate from the cloud but likely came from an outdated D-View 6 system, which had reached the end of its lifecycle by no later than 2015. Originally, this data was used for registration purposes, and there is no evidence that it contained user IDs or financial information.

This revelation came more than two weeks after an unauthorized party claimed to have stolen the personal data of numerous government officials in Taiwan and the source code for D-Link’s D-View network management software. The claim was shared in a post published on BreachForums on October 1, 2023.

D-Link has enlisted the services of the cybersecurity company Trend Micro to investigate the incident. The company pointed out several inaccuracies and exaggerations, emphasizing that the breach compromised about 700 “outdated and fragmented” records, as opposed to claims that millions of user data were accessed. D-Link suspects that recent login times were intentionally manipulated to make the old data appear current.

The data breach was attributed to an employee who unwittingly fell victim to a phishing attack, although specific details of the attack were not disclosed. D-Link is taking measures to strengthen the security of its operations.

It is important to note that the company has emphasized that its current active customers are not expected to be affected by this incident.

The sophistication of the campaign suggests the involvement of a nation-state actor, as the attacks were highly targeted and had a limited number of victims. The threat actor behind TetrisPhantom is highly skilled and creative and shows significant interest in espionage within secure government networks.

One of the key features of the campaign is the use of various malicious modules that execute commands, collect data from compromised machines, and can spread the infection to other systems using secure USB drives as vectors. These malicious components can also execute additional malicious files on the infected systems. The attackers employ advanced tools and techniques, including virtualization-based software obfuscation for malware components, self-replication through connected secure USB drives to penetrate air-gapped networks, and injecting code into a legitimate access management program on the USB drive, serving as a loader for malware on a new machine.

At the same time, a new and unknown advanced persistent threat actor (APT), codenamed BadRory, has targeted government institutions, military contractors, universities, and hospitals in Russia. This actor uses spear-phishing emails with prepared Microsoft Office documents to initiate a multi-stage infection scheme that leads to the installation of a new Trojan designed to extract files and execute arbitrary commands on the victim’s machine.

These APT campaigns have a broader geographical reach, with attackers targeting regions such as Europe, South America, the Middle East, and other parts of Asia. Various industries, including government, military, defense, gaming, software, entertainment, utilities, banking, and manufacturing, are affected. Cyber espionage remains a high priority for APT campaigns influenced by geopolitical factors. Therefore, it is crucial to understand the tactics, techniques, and procedures (TTPs) used by these threat actors and remain vigilant against future attacks.