Cisco addresses zero-days.
N2K logoOct 23, 2023

A second zero-day is used to exploit IOS XE devices compromised through an earlier zero-day last week.

Cisco addresses zero-days.

Cisco has disclosed a new zero-day vulnerability (CVE-2023-20273) that was used to deploy malware on IOS XE devices compromised via CVE-2023-20198, another zero-day the company disclosed last week, BleepingComputer reports

An apparent decline in compromises hasn't been borne out.

Cisco said in an update on Friday that “[f]ixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on October 22.” According to data from Censys, as of October 18th nearly 42,000 Cisco devices had been compromised by the backdoor, though that number seemed to be falling steadily. Indeed, according to BleepingComputer, over the weekend the number of compromised devices appeared to plummet, dropping two orders of magnitude to a few hundred.

That decline, however, was largely illusory. Researchers at Fox-IT found an explanation for the sharp decline: the implant "has been altered to check for an Authorization HTTP header value before responding." Fox-IT added that, "Using a different fingerprinting method, Fox-IT identifies 37890 Cisco devices that remain compromised."

CVE-2023-20198 rates the highest CVSS score.

Cisco stated, “The CVE-2023-20198 vulnerability received the highest Common Vulnerability Scoring System (CVSS) score (10/critical). Successful exploitation allows the attacker to gain access to the device with full administrator privileges. After compromising the device, we observed the adversary exploit a second vulnerability (CVE-2023-20273), which affects another component of the Web UI feature, to install the implant. This allows the attacker to run arbitrary commands with elevated (root) privileges, thereby effectively taking full control of the device. In this particular attack, the actor then used the ability to run arbitrary commands to write the implant to the file system. CVE-2023-20273 has a CVSS score of 7.2 (high).”

Industry expert recommends time-limiting access.

Paul Laudanski, Director of Security Research at Onapsis, considers the incident as an instance of coping with zero-days. "CISA, the FBI, and other organizations have recently published guidance on attacks and vulnerabilities in general, adhering to monitoring, detection, and vulnerability management," Laudanski wrote, in emailed comments. "Rather than just locking down access, organizations should take a step further ensuring there is a time constraint on that access. Organizations should introduce additional layers of defense while monitoring for static and dynamic access and behaviors. This includes lateral movement, privilege escalation, network access, web access, and tracking the source of origin in comparison to what is being accessed. It is also important to update your organization's threat intelligence and deploy against network monitoring, like DNS monitoring. This approach requires security practitioners who are well-versed in today's ever-evolving threat landscape and who are empowered with the tools and budget to protect their company assets."

Laudanski offered three steps an organization should take in response to a zero-day attack:

  • "Detection: Although IOS XE zero-day is a specific vulnerability making the press right now, the standard SOC-type activity includes monitoring and detecting abnormal activity and behavior. Organizations need to ensure they map out their threat landscape, internal and external, understand what endpoints are accessible externally, and ensure proper threat modeling has taken place. During this assessment, organizations can understand what to monitor and detect. Detection can use standard specific attack methods and machine learning models to pick up abnormalities. 
  • "Allowlist: Identify external endpoints and lock them down if they are restricted to admin or privileged access. For devices like this, limit any admin public access to trusted IP spaces. It is far easier to manage an allowlist than it is to manage a denylist. 
  • "Vulnerability management: Have a program in place not just to monitor for threats, but to actively pursue red teaming exercises on your organization's externally accessible assets, as well as understand what those assets are vulnerable to."