Backdoor Implant on Hacked Cisco Devices Modified to Evade Detection

7 months ago AndyC

Oct 24, 2023NewsroomCyber Threat / Vulnerability

The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods

Backdoor Implant on Hacked Cisco Devices Modified to Evade Detection

Oct 24, 2023NewsroomCyber Threat / Vulnerability

Backdoor Implant on Hacked Cisco Devices Modified to Evade Detection

The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods.

“Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check,” NCC Group’s Fox-IT team said. “Thus, for a lot of devices, the implant is still active, but now only responds if the correct Authorization HTTP header is set.”

The attacks entail fashioning CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) into an exploit chain that grants the threat actor the ability to gain access to the devices, create a privileged account, and ultimately deploy a Lua-based implant on the devices.

Cybersecurity

The development comes as Cisco began rolling out security updates to address the issues, with more updates to come at an as-yet-undisclosed date.

The exact identity of the threat actor behind the campaign is currently not known, although the number of affected devices is estimated to be in the thousands, based on data shared by VulnCheck and attack surface management company Censys.

“The infections look like mass hacks,” Mark Ellzey, Senior Security Researcher at Censys, told The Hacker News. “There may be a time when the hackers go through what they have and figure out if anything is worth anything.”

However, the number of compromised devices plummeted over the past few days, declining from roughly 40,000 to a few hundred, leading to speculations that there may have been some under-the-hood changes to hide its presence.

The latest alterations to the implant discovered by Fox-IT explain the reason for the sudden and dramatic drop, as more than 37,000 devices have been observed to be still compromised with the implant.

Cybersecurity

Cisco, for its part, has confirmed the behavioral change in its updated advisories, sharing a curl command that can be issued from a workstation to check for the presence of the implant on the devices –

curl -k -H “Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb” -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1”

“If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present,” Cisco noted.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal

Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal

24 mins ago AndyC
Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

24 mins ago AndyC
Cyber Criminals Exploit GitHub and FileZilla to Deliver Cocktail Malware

Cyber Criminals Exploit GitHub and FileZilla to Deliver Cocktail Malware

24 mins ago AndyC
Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

6 hours ago AndyC
Chinese Nationals Arrested for Laundering Million in Pig Butchering Crypto Scam

Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam

1 day ago AndyC
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

1 day ago AndyC

You may have missed

Strengthen Your Security Operations: MITRE ATT&CK Mapping in Cisco XDR

14 mins ago AndyC
Two students uncovered a flaw that allows to use laundry machines for free

Two students uncovered a flaw that allows to use laundry machines for free

19 mins ago AndyC

IBM Sells Cybersecurity Group – Schneier on Security

19 mins ago AndyC
Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal

Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal

24 mins ago AndyC
Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

24 mins ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.