Cisco's critical zero-day bug gets even worse – 'thousands' of IOS XE devices pwned

Remember that critical zero-day bug Cisco disclosed yesterday? Well, it gets worse.

It now appears "thousands" of the networking giant's switches and routers have already been compromised by criminals that exploited the authentication bypass flaw and installed implants. This, according to security shop VulnCheck chief technology officer Jacob Baines, who on Tuesday said his team "scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts."

Cisco did not respond to inquiries from The Register about the VulnCheck report. We will update this story if and when we get a reply.

The still-unpatched security flaw is tracked as CVE-2023-20198. As the vendor disclosed on Monday, exploiting the 10-rated CVSS bug allows privilege level 15 access – aka complete system control. 

And according to Baines, miscreants are likely using this access to "monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks." In Baines' words "this is a bad situation."

When asked about the attacks, he told The Register "it doesn't appear to be localized. The IPs geolocate to a wide number of countries all over the globe."

From what VulnCheck can tell from the hostnames of affected systems, the gang didn't target a specific organization or industry in these attacks. "It appears, to us, to be a smorgasbord board of victims," Baines said. 

It's also "surprising," he said, that the attacker installed so many implants. 

And yes, at least as of now, that's attacker – singular. Talos, Cisco's threat intel and incident response team, has said the exploits were likely carried out by one criminal group rather than multiple attackers. 

"The implant isn't some off-the-shelf tool, it's customized to IOS XE," Baines told us. "The fact that the attacker was able to develop the implant, and install it far and wide (using a zero day no less) speaks of a very sophisticated actor doing work at scale, which is more of a surprise to me. 

"We often think of advanced attackers doing more pinpoint attacks, and more the widespread stuff like the botnets/crypto of the world," he continued. "But not this time."

VulnCheck also released the scanner it used to find implanted systems on the internet. So if your organization uses an IOS XE system, we'd recommend checking as soon as possible.

• Cisco zero-day bug allows router hijacking and is being actively exploited
• Routers have been rooted by Chinese spies, US and Japan warn
• 530K people's info feared stolen from cloud PC gaming biz Shadow
• US cybercops urge admins to patch amid ongoing Confluence chaos

Cisco hasn't yet issued a patch for the vulnerability, but recommends that anyone using the HTTP Server feature immediately disable it on all internet-facing systems. The vendor also provided instructions on how to do this in its Monday security advisory.

According to Talos, the attackers have likely been on some organizations' networks as far back as September 18, with a second "cluster" or activity detected on October 12.

The implant, which is based on the Lua programming language, consists of 29 lines of code and sends a specific HTTP POST request to the device. This returns an 18-character hexadecimal string that is hardcoded into the implant. 

This acts as authentication required for the attackers to execute IOX commands at the highest privilege level. ®