The number of Cisco IOS XE devices hacked with a malicious backdoor implant has mysteriously plummeted from over 50,000 impacted devices to only a few hundred, with researchers unsure what is causing the sharp decline. This week, Cisco warned that hackers exploited two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, to hack over 50,000 Cisco IOS XE devices to create privileged user accounts and install a malicious LUA backdoor implant. This LUA implant allows the threat actors to remotely execute commands at privilege level 15, the highest privilege level on the device. Since the release of this news, cybersecurity firms and researchers have found roughly 60,000 out of the 80,000 publicly exposed Cisco ISO XE devices to be breached with this implant. On Saturday, multiple cybersecurity organizations reported that the number of Cisco IOS XE devices with a malicious implant has mysteriously dropped from approximately 60,000 devices to only 100-1,200, depending on the different scans. Onyphe Founder & CTO Patrice Auffret told BleepingComputer that he believes the threat actors behind the attacks are deploying an update to hide their presence, thus causing the implants to be no longer seen in scans. "For the second day in a row, we see the number of implants have drastically dropped in a short time. Basically, they appear to have been practically all rebooted or have been updated." "We believe it is the action from the original threat actor which is trying to fix an issue that should not have been there from the beginning. The fact that the implant was so easy to detect remotely was a mistake from their side." Piotr Kijewski, the CEO of The Shadowserver Foundation, also told BleepingComputer that they have seen a sharp drop in implants since 10/21, with their scans only seeing 107 devices with the malicious implant. "The implant appears to have been either removed or updated in some way," Kijewski told BleepingComputer via email. Another theory is that a grey-hat hacker is automating the reboot of impacted Cisco IOS XE devices to clear the implant. Orange Cyberdefense CERT for the Orange Group told BleepingComputer that they do not believe that a grey-hat hacker is behind the decrease in implants but rather that this could be a new exploitation phase. Another possibility shared by security researcher Daniel Card is that the many devices breached with implants were simply a decoy to hide the real targets in attacks. Until Cisco or other researchers can examine a previously breached Cisco IOS XE device to see if they were simply rebooted or if new changes were made, there is no way to know what happened. BleepingComputer has contacted Cisco with questions about the drop in implants but has not received a reply at this time. Cisco discloses new IOS XE zero-day exploited to deploy malware implant. Over 10,000 Cisco devices hacked in IOS XE zero-day attacks. Cisco warns of new IOS XE zero-day actively exploited in attacks. Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day. Cisco urges admins to fix IOS software zero-day exploited in attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000