Cisco: Hackers targeting zero-day found in internet-exposed routers

Avatar

Cisco warned on Monday that hackers are targeting a line of its software through a previously unknown vulnerability.

In addition to releasing an advisory about the issue — which is tracked as CVE-2023-20198 —- the company’s Talos security team published a report outlining how it discovered the critical vulnerability.

The vulnerability carries the highest severity CVSS score possible of 10 and Cisco said it would “grant an attacker full administrator privileges, allowing them to effectively take full control of the affected router and allowing possible subsequent unauthorized activity.”

CVE-2023-20198 was found in a feature of Cisco IOS XE software and affects both physical and virtual devices running the software. The feature, called Web UI, is meant to simplify deployment, manageability and user experience.

To address the issue, Cisco urged customers to disable the HTTP Server feature on all internet-facing systems and noted that the Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly issued the same advice for mitigating the risks associated with internet-exposed management interfaces. CISA released its own warning about the vulnerability on Monday.

There is no workaround to resolve the issue and no patch available yet.

Through the vulnerability, hackers are able to create an account on the affected device and gain full control of it.

The vulnerability was found during the resolution of multiple Cisco Technical Assistance Center support cases where customers were hacked. The first situation was discovered on September 28. After an investigation, Cisco researchers said it found activity related to the bug dating back to September 18.

Cisco Talos Incident Response teams saw activity related to the issue last Thursday and released the advisory on Monday. The company said it has dealt with a “very small number of cases out of our normal substantial daily case volume.”

“We assess that these clusters of activity were likely carried out by the same actor. Both clusters appeared close together, with the October activity appearing to build off the September activity,” they said.

“The first cluster was possibly the actor’s initial attempt at testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant.”

After exploiting the new vulnerability, the hackers turned to a two-year-old bug —- CVE-2021-1435 —- which allowed them to install an implant on the affected device. They noted that even devices patched against the old vulnerability had implants installed “through an as of yet undetermined mechanism.”

Users of products with the software should be on the lookout for “unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat.”

Several researchers, including Viakoo Labs Vice President John Gallagher, tied the vulnerability to another affecting the same software that was announced on October 2.

Gallagher explained that the vulnerability is a reminder that administrators “need detailed information on their systems in cases like this where there is no patch available.”

Mayuresh Dani, manager of threat research at Qualys, noted that Cisco did not provide a list of affected devices, meaning any switch, router or wireless LAN controller running IOS XE with the web user interface (UI) exposed to the internet is vulnerable.

“Based on my searches using Shodan, there are about 40,000 Cisco devices that have web UI exposed to the internet,” Dani said, reiterating Cisco’s advice that users should make sure devices are not exposed to the internet or disable the web UI component on these devices.

NewsCybercrimeTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

A surveillance tower in Mexico becomes an unsettling landmark for privacy advocates

Next Post

Five Eyes intelligence chiefs warn of ‘sharp rise’ in commercial espionage

Related Posts

Mustang Panda Targets Asia with Advanced PlugX Variant DOPLUGS

The China-linked threat actor known as Mustang Panda has targeted various Asian countries using a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS. "The piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter," Trend Micro researchers Sunny Lu
Avatar
Read More

How to Use Tines’s SOC Automation Capability Matrix

Created by John Tuckner and the team at workflow and automation platform Tines, the SOC Automation Capability Matrix (SOC ACM) is a set of techniques designed to help security operations teams understand their automation capabilities and respond more effectively to incidents.  A customizable, vendor-agnostic tool featuring lists of automation opportunities, it's been shared
Avatar
Read More

Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining

Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access. “The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and
Avatar
Read More