Rewterz Threat Alert – Cisco Alerts About Actively Exploited Zero-Day Vulnerability in IOS XE Software – Active IOCs

Severity

High

Analysis Summary

A warning has been issued by Cisco about a new critically severe authentication bypass zero-day vulnerability in its IOS XE software which is actively being exploited and allows unauthenticated users to gain full administrator privileges which attackers can use to take full remote control of infected switches and routers.

The flaw is tracked as CVE-2023-20198 and is still waiting for a patch to be released. It only affects devices that are running with the Web User Interface feature enabled while also having the HTTP or HTTPS Server feature turned on.

The researchers said, “Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.”

When the vulnerability is successfully exploited, it allows the malicious user to create an account on the target device with privilege level 15 access. This grants the attacker full control of the affected device and allows to perform possible unauthorized activity.

These attacks were discovered on 28^th September by Cisco’s researchers after they received reports of suspicious behavior on a customer’s device. Following further into the attacks, they identified related activity from 18^th September. This activity involved an authorized user creating a local user account using a suspicious IP address.

Another malicious activity linked to CVE-2023-20198 was discovered on 12^th October when a local user account called “cisco_support” was created from another suspicious IP address. The attackers had also deployed a malicious code to execute arbitrary commands at system or IOS levels.

The researchers suspect that all these activities were carried out by the same threat actor as both clusters happened close to each other. The first one seems to be the actor’s initial attempt or a code test, while the second cluster suggests that the actor was expanding their operation by including persistent access establishment with the deployment of the implant.

Cisco urges the admins to disable the HTTP server feature on internet-facing systems, which will help in blocking incoming attacks by removing the attack vector.

“After disabling the HTTP Server feature, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the HTTP Server feature is not unexpectedly enabled in the event of a system reload,” the researchers concluded.

If both the HTTP and HTTPS server are being used, then use both the “no ip http server” and “no ip http secure-server” commands to disable the HTTP Server feature. Keeping an eye out for recently created suspicious user accounts is recommended as it is a potential indicator of malicious activity.

A way to detect the presence of the malicious implant on an infected Cisco IOS XE device is by executing the following command, where the placeholder “DEVICEIP” is replaced by the IP address under investigation:

curl -k -X POST “https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1”

The researchers confirm that they are working to provide a software patch, in the meantime they highly recommend the customers to take action immediately by following the security advisory. 

Impact

• Privilege Escalation
• Security Bypass
• Unauthorized Access

Indicators of Compromise

IP

• 5.149.249.74
• 154.53.56.231

Affected Vender

Cisco

Affected Products

• Cisco IOS XE Software

Remediation

• Refer to Cisco Security Advisory for patch, upgrade or suggested workaround information. 
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• It is important for organizations to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.