The number of infected Cisco IOS XE devices has significantly dropped from over 50,000 to a few hundred after hackers updated a malicious backdoor to evade detection. The hackers exploited two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, to breach the devices and install a malicious LUA backdoor. This backdoor allows the hackers to execute commands remotely at the highest privilege level on the device. However, the backdoor does not persist after a reboot, although any user accounts created during the attack remain.
Cybersecurity firms and researchers initially detected the implant on approximately 60,000 out of 80,000 publicly exposed Cisco ISO XE devices. However, subsequent scans by multiple cybersecurity organizations reported a steep drop in the number of detected infections. Patrice Auffret, Founder & CTO of Onyphe, suggested that the hackers are deploying an update to conceal their presence.
Piotr Kijewski, the CEO of The Shadowserver Foundation, reported a similar sharp decrease in detected implants. Another theory suggests that a 'grey-hat' hacker might be automating the reboot of the infected devices to clear the implant, similar to a campaign in 2018. However, Orange Cyberdefense CERT for the Orange Group does not support this theory, suggesting instead that this could be a new exploitation phase.
Security researcher Daniel Card proposed that the numerous breached devices might be a diversion to hide the real targets. As of now, these are only theories explaining the reduced detections.
An update from cybersecurity firm Fox-IT revealed that the sudden drop in detections is due to the hackers rolling out a new version of the backdoor. The new implant version checks for an Authorization HTTP header before responding. This change was confirmed by Cisco Talos in updated advisories. Once researchers started using the new 'Authorization' header in their scans, the number of detected infections rose to 37,890.
There is speculation that US agencies such as the FBI and NSA may have intervened in certain cases to fix widespread problems, although this seems unlikely due to the international nature of the infections. Both agencies have been known to erase traces of their implants and exit networks after achieving their objectives.