Researchers from LeakIX, using the indicators of compromise (IOCs) released by Cisco Talos, discovered approximately 30,000 Cisco IOS XE devices that have been compromised by exploiting the CVE-2023-20198 vulnerability. The majority of these infected devices are located in the United States, the Philippines, Chile, and Mexico.
CERT Orange also found over 34.5K compromised Cisco IOS XE devices using the same IoCs. The number of compromised devices has fluctuated over time, with Censys reporting a decrease to 36,541 on October 19th, down from over 41,983 hosts the previous day.
Cisco recently alerted its customers about the active exploitation of a zero-day vulnerability, CVE-2023-20198, in its IOS XE Software. This vulnerability was discovered during the resolution of multiple Technical Assistance Center (TAC) support cases. The vulnerability allows threat actors to create an account with privilege level 15 access on an affected system, thereby gaining control of the system.
The vulnerability affects devices that have the Web User Interface (Web UI) feature enabled and the HTTP or HTTPS Server feature in use. Cisco has advised administrators to check system logs for certain log messages and to disable the HTTP server feature on systems exposed to the Internet.
The advisory also includes Indicators of Compromise (IoCs) and recommends that after disabling the HTTP Server feature, administrators should save the running-configuration to ensure that the HTTP Server feature does not get enabled unexpectedly in the event of a system reload.
Researchers observed a large-scale hacking campaign exploiting the vulnerability to target Cisco IOS XE routers and switches. A scanner was developed and released to find systems infected with implants exposed on the internet. The post published by the researchers states that thousands of internet-facing IOS XE systems have been implanted. This is a grave situation as privileged access on the IOS XE allows attackers to monitor network traffic, pivot into protected networks, and conduct various man-in-the-middle attacks.
Organizations are urged to use an IOS XE system to determine if their systems have been compromised. Cybersecurity firm GreyNoise also identified malicious activity related to the exploitation of the CVE-2023-20198. Further details on ongoing attacks are reported in Cisco Talos’s constantly updated advisory.