Public exploit code is now available for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198 that was leveraged as a zero-day to hack tens of thousands of devices. Cisco released patches for most releases of its IOS XE software but thousands of systems continue to be compromised, internet scans show. Ai, a company providing security assessment services, have shared details on how an attacker can bypass authentication on Cisco IOS XE devices vulnerable to CVE-2023-20198. In a technical report today, the researchers show how hackers can exploit the maximum severity security issue to create a new user with level 15 privileges that provide complete control over the device. Ai explains that an attacker can encode an HTTP request to the Web Services Management Agent service in iosd - a powerful binary in Cisco's IOS XE that can generate the configuration file for OpenResty used by the webui service vulnerable to CVE-2023-20198. Testing their exploit code, the researchers were able to create a new user with administrative permissions visible in the device's management interface. LeakIX, an intelligence platform for exposed online services, confirmed that the exploit that Secuinfra also observed could successfully hijack Cisco IOS XE devices. LeakIX's Cisco IOS XE honeypots were awoken by the threat actors, allowing researchers to see commands executed on devices. Cisco has updated its security bulletin for CVE-2023-20198 on October 30, announcing updates for IOS XE that address the vulnerability. Threat actors started exploiting CVE-2023-20198 when it was a zero-day before Cisco disclosed it on October 16. Ten days after that, the Censys platform for threat hunting found on October 25 around 28,000 Cisco IOS XE hosts showing signs of compromise spread all over the world. According to Censys' findings, many of the hacked devices are at major telecommunications and internet providers offering their services country-wide. Initial estimates after Cisco disclosed that the vulnerability was being exploited in the wild counted around 10,000 that were running a malicious implant. By the end of the week, internet scans showed that the implant was present on about 60,000 Cisco IOS XE devices exposed on the public web. The number dropped suddenly shortly after, as many of the hacked devices became invisible when the threat actor altered the malicious code to check for an Authorization header before responding. Cisco patches IOS XE zero-days used to hack over 50,000 devices. Hackers update Cisco IOS XE backdoor to hide infected devices. Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day. Cisco discloses new IOS XE zero-day exploited to deploy malware implant. Over 10,000 Cisco devices hacked in IOS XE zero-day attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000