17 October 2023

Threat actors are actively exploiting unpatched Cisco zero-day bug


Threat actors are actively exploiting unpatched Cisco zero-day bug

US networking giant Cisco has warned that hackers are targeting a previously unknown vulnerability (so-called zero-day) in its IOS XE software.

The said zero-day flaw, tracked as CVE-2023-20198, resides in the web UI feature and can be exploited by a remote non-authenticated attacker via a specially crafted HTTP request sent to the affected device. The attacker then can create an account with privilege level 15 access. The vulnerability affects all IOS XE versions.

“Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks,” the company said.

The vendor has yet to release a software patch to address the flaw. In the meantime, Cisco recommends that customers disable the HTTP Server feature on all internet-facing systems using the 'no ip http server' or 'no ip http secure-server' command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

According to a report from Cisco’s Talos team, first evidence of the CVE-2023-20198 exploitation was observed in September 2023, when the researchers discovered a rogue local user account on a customer device.

“On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what we later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name “cisco_support” from a second suspicious IP address (154.53.56[.]231),” the team said. “Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (“cisco_service.conf”).”

The configuration file defined the new web server endpoint used to interact with the implant. That endpoint received the parameters that allowed the actor to execute arbitrary commands at the system level or IOS level.

“For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed,” Cisco noted.

At the beginning of October, Cisco issued security updates to fix a Cisco Emergency Responder (CER) backdoor (CVE-2023-20101) that lets attackers log into unpatched systems using hard-coded credentials.

Back to the list

Latest Posts

FIN7 cybercrime gang offers new EDR bypass tool on dark web

FIN7 cybercrime gang offers new EDR bypass tool on dark web

AvNeutralizer is being advertised for prices ranging between $4,000 and $15,000 on various cybercrime forums.
17 July 2024
Critical Apache HugeGraph vulnerability exploited in the wild

Critical Apache HugeGraph vulnerability exploited in the wild

Users are strongly recommended to upgrade to the fixed version as soon as possible.
17 July 2024
TAG-100 cyberspies target Citrix, F5, Cisco appliances in at least 10 countries

TAG-100 cyberspies target Citrix, F5, Cisco appliances in at least 10 countries

The threat actor has employed the Go-based backdoors Pantegana and SparkRAT for post-exploitation.
17 July 2024