Cisco fixes critical IOS XE bug but malware crew way ahead of them

Initial fall in infected devices indicates evolution, not extinction, of attack code

After a six-day wait, Cisco started rolling out a patch for a critical bug that miscreants had exploited to install implants in thousands of devices. Alas, it seems, the security results have been mixed since the attackers got wise.

The flaw in the networking giant's IOS XE software, which allowed criminals to hijack thousands of Cisco switches and routers, first came to light last Monday. On Friday, Cisco said it hoped to have a fix ready on Sunday, ruining the weekend for many admins. 

The good news: Cisco kept its Sunday promise and made available the first fixed software release, 17.9.4a, with more updates to come at a still undisclosed date.

The bad news: also over the weekend, those who had been exploiting the vulnerabilities upgraded the implant to evade detection. New scanning methods show thousands of devices remain compromised.

On Monday, Cisco updated its security advisory to provide "enhanced guidance to detect the presence of the implant, after uncovering a new variant that hinders identification of compromised systems," a spokesperson told The Register.

This guidance, also updated in Cisco Talos' blog about the exploit, includes a curl command that can identify implant variants employing the attackers' new HTTP header checks.

As Cisco noted in its original update, there were actually two zero-days in the IOS XE software. Intruders first exploited CVE-2023-20198 to gain access to the devices and issue a privilege 15 command, thus creating a normal local user account.

Next, they exploited CVE-2023-20273, a bug in the web UI feature that allowed the local user to elevate privileges to root, write the implant to the file system, and hijack the device.

The first fixed release, 17.9.4a, addresses both flaws, and updates for earlier versions will be made available, according to Cisco.

As of Thursday, about 36,541 Cisco devices had been compromised, according to exposure management outfit Censys. This was more than 5,000 less than the day prior. 

And then, as the weekend hit, the number of compromised devices plummeted to 1,200, according to attack surface management firm Onyphe, leaving security researchers scratching their heads as to what happened.

Security firm Fox-IT, part of the NCC Group, says it has an answer: the implant developers simply changed the code. "We have observed that the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorization HTTP header value before responding," the analysts xeeted on Monday.

"This explains the much discussed plummet of identified compromised systems in recent days," it continued. "Using a different fingerprinting method, Fox-IT identifies 37,890 Cisco devices that remain compromised."

The firm also suggested companies that have had a Cisco IOS XE WebUI exposed to the internet perform a forensic triage, and released a scanning and detection tool on GitHub.

VulnCheck chief technology officer Jacob Baines told The Register that his firm altered its scanner to use the Fox-IT method, "and we are seeing essentially what we saw last week: thousands of implanted devices."

Baines said he's "surprised" the attacker modified the implant instead of abandoning the campaign.

"Normally, when an attacker is caught, they go quiet and revisit the affected systems when the dust has settled," he said. "This attacker is attempting to maintain access to implants that dozens of security companies now know exist. To me, it seems like a game they can't win."

The updated implant appears to be "a short-term fix," Baines said, adding that it will either allows the criminals to "hold on to the systems for a few more days — and accomplish whatever goal — or just a stop-gap until they can insert a more stealthy implant." ®

More about


Send us news

Other stories you might like