Backdoor planted on hacked Cisco IOS XE devices altered to evade detection

Backdoor planted on hacked Cisco IOS XE devices altered to evade detection

Over the weekend, reports emerged that the number of backdoored Cisco IOS XE devices compromised via two recently disclosed zero-day vulnerabilities decreased from over 42,000 to mere hundreds. Some security researchers suggested that the implant was either removed, updated or many hacked devices were used as a ruse to hide real targets.

NCC Group's Fox-IT team reported on Monday that they observed the backdoor on infected devices being modified to check for an Authorization HTTP header value before responding.

“Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check. Thus, for a lot of devices, the implant is still active, but now only responds if the correct Authorization HTTP header is set,” the company said, adding that using another fingerprinting method it identified 37, 890 hacked Cisco devices.

Earlier this week, Cisco revealed that hackers exploited two zero-day vulnerabilities (CVE-2023-20198 and CVE-2023-20273) to breach Cisco IOS XE devices to create privileged user accounts and install a LUA backdoor.

Now, the company has updated its security advisory to include a curl command, which includes an 'Authorization' header, to check for the presence of the implant on the devices.

If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present, Cisco said.

Back to the list

Latest Posts

Russian hackers target Microsoft accounts with ‘Device code’ phishing attacks

Russian hackers target Microsoft accounts with ‘Device code’ phishing attacks

The Russian threat actors leveraged social engineering techniques to impersonate individuals from prominent institutions.
17 February 2025
Cyber Security Week in Review: February 14, 2025

Cyber Security Week in Review: February 14, 2025

In brief: Microsoft patches actively exploited zero-days, Chinese hackers Salt Typhoon exploit Cisco flaws, the US and partners sanction Zservers, and more.
14 February 2025
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging bugs in widely used IT infrastructure software.
13 February 2025