Enlarge / Cables run into a Cisco data switch.
Getty Images
On Monday, Cisco reported a critical zero-day vulnerability in devices running the IOS company. Researchers described the infections as “activity clusters.”
On Tuesday, researchers at security firm VulnCheck said that at last count, this cluster included more than 10,000 switches, routers and other Cisco devices. According to VulnCheck, they were all infected by an implant that allows the threat actor to remotely execute commands that are executed in the deepest regions of hacked devices, particularly at the system or iOS level.
“Cisco buried the allegation by failing to mention that it had implanted thousands of internet-connected IOS XE systems,” wrote Jacob Baines, CTO of VulnCheck. “VulnCheck has Cisco IOS Internet-facing web interfaces in-the-middle attacks.
In an email, a VulnCheck representative said the company has “fingerprinted approximately 10,000 implanted systems, but we have only scanned approximately half of the devices listed on Shodan/Censys.” The number will likely increase as scanning continues becomes.
Although Cisco has not yet released a software patch, the company urges customers to protect their devices. This means implementing a stopgap measure to prevent vulnerable devices from being exploited and running a variety of scans to determine whether devices have been backdoored.
“Cisco is committed to transparency,” a company representative wrote in an email Tuesday. “When critical security issues arise, we treat them as a top priority so that our customers understand the issues and know how to resolve them.” Take action as described in the security advisory.
The previously unknown vulnerability, tracked as CVE-2023-20198, has a maximum severity of 10. It resides in the web UI of the Cisco IOS XE software when exposed to the Internet or untrusted networks. Any switch, router, or wireless controller running IOS On Monday, search engine Shodan showed that up to 80,000 internet-connected devices could be affected.
“Successful exploitation of this vulnerability allows an attacker to create an account with access permission level 15 on the affected device, effectively granting them full control of the compromised device and possible subsequent unauthorized activity,” wrote members of Cisco’s Talos security team on Monday. “This is a critical vulnerability and we strongly recommend that affected organizations immediately implement the steps outlined in Cisco’s PSIRT advisory.”
According to Cisco, the unknown threat actor has been exploiting the zero-day vulnerability since at least September 18th. After exploiting the vulnerability to become an authorized user, the attacker creates a local user account. In most cases, the threat actor then deploys an implant that allows them to execute malicious commands at the system or iOS level once the web server is restarted. The implant does not survive a restart, but the local user accounts remain active.
Monday’s report continued that after gaining access to a vulnerable device, the threat actor exploited a moderate vulnerability, CVE-2021-1435, that Cisco patched two years ago. Talos team members said they had seen devices fully patched against the previous vulnerability and where the implant was installed “via an as-yet-undetermined mechanism.”
The implant is saved in the file path “/usr/binos/conf/nginx-conf/cisco_service.conf”. It contains two variable strings consisting of hexadecimal characters. The opinion continued:
The implant is based on the Lua programming language and consists of 29 lines of code that allow the execution of any command. The attacker must create an HTTP POST request to the device that delivers the following three functions (Figure 1):
The first function is determined by the “menu” parameter, which must be present and not empty. This returns a string of numbers surrounded by slashes, presumably representing the version or installation date of the implant. The second function is specified by the “logon_hash” parameter, which must be set to “1”. This will return an 18-digit hexadecimal string that is hardcoded into the implant. The third function is also determined by the logon_hash parameter, which checks whether the parameter matches a 40-character hexadecimal string hardcoded into the implant. A second parameter used here is “common_type”, which cannot be empty and whose value determines whether the code is executed at the system level or IOS level. If the code is executed at the system level, this parameter must be set to “Subsystem”, and if it is executed at the IOS level, the parameter must be “iox”. The IOX commands are executed at privilege level 15.
Cisco
In most cases where we have observed installing this implant, both the 18-digit hexadecimal string in the second function and the 40-digit hexadecimal string in the third function are unique, although in some cases these strings are the same on different devices were . This suggests that there is a way for the actor to calculate the value used in the third function from the value returned by the second function, thus acting as a form of authentication that is arbitrary to the one provided in the third function Command execution is required.
Talos team members urge administrators of all affected devices to immediately scan their networks for signs of compromise. The most effective means is to search for unexplained or newly created users on devices. One way to determine whether an implant has been installed is to run the following command against the device, where the “DEVICEIP” part is a placeholder for the IP address of the device to be checked:
curl -k -X POST “https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1”
Administrator accounts can be named cisco_tac_admin or cisco_support. The IP addresses Cisco has seen so far exploiting the zero-day attack are 5,149,249[.]74 and 154.53.56[.]231.
Additional notes from Cisco:
Check the system logs for the presence of any of the following log messages, where “User” could be “cisco_tac_admin”, “cisco_support”, or any configured local user unknown to the network administrator: %SYS-5-CONFIG_P: Configured as a user online programmatically by the SEP_webui_wsma_http process from the console %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login successful [user: user] [Source: source_IP_address] at 03:42:13 UTC Wednesday, Oct. 11, 2023
Note: The %SYS-5-CONFIG_P message appears for each instance where a user accessed the web UI. The indicator to look for is new or unknown usernames in the message.
Check the system logs for the following message: filename is an unknown filename that does not correlate with an expected file installation action: %WEBUI-6-INSTALL_OPERATION_INFO: User: Username, Install Operation: Add Filename It should go without saying, but the HTTP and HTTPS server feature should never be enabled on Internet-facing systems, consistent with long-established best practices. Cisco reiterated the guidance in Monday’s advisory.
VulnCheck has published its own scanner here.
It should go without saying, however, that the HTTP and HTTPS server functionality should never be enabled on Internet-facing systems, consistent with long-established best practices. Cisco reiterated the guidance in Monday’s advisory.
This vulnerability is relatively easy to exploit and currently gives hackers the ability to carry out all sorts of malicious actions against up to 10,000 infected networks. Anyone managing Cisco devices that have had the web UI exposed should assume their devices are compromised, read the advisory and the PSIRT advisory above carefully, and follow all recommendations as quickly as possible.
October 17, 2023, 2:50 pm Eastern. This article has been updated with new information about how many systems are infected.