Unmasking the Implant: The Stealthy Surge of Compromised Cisco Devices.

The surge in compromised Cisco devices persists as anonymous hackers take advantage of a zero-day vulnerability in the wild. However, recent scans indicates a substantial decrease, implying that the attackers might be modifying their implant.

The vulnerability, logged as CVE-2023-20198 and CVE-2023-20273, was found in the CISCO IOS XE.


                       Threat actors establish high-privilege accounts and install a Lua-based backdoor implant. Image-source: Cisco


Threat actors who exploit this vulnerability establish high-privilege accounts on susceptible devices and install a Lua-based backdoor implant, granting them complete network access and control.

Notably, Cisco has issued security patches for these vulnerabilities.

After the initial vulnerability was detected, cybersecurity researchers conducted an internet scan and identified over 50,000 connected devices (routers and switches) with the malicious implant.

Yet, when researchers conducted another scan a few days later, they discovered that the number had drastically reduced to a mere 100. This indicates that threat actors are employing various strategies to conceal their activities. Despite this, cybersecurity researchers suspect that numerous devices remain compromised.


Cisco has confirmed that threat actors have devised new methods to conceal their implants, rendering them invisible to earlier scanning techniques.

The situation deteriorated when Fox-IT, a security firm owned by NCC Group, uncovered a new fingerprinting method that identified over 38,000 Cisco devices still harboring the implants.

VulnCheck, a threat intelligence firm, also verified on Twitter that thousands of Cisco devices are still under the control of threat actors.

Further information by Cisco shows that it has identified a new variant that prevents compromised systems from being detected. This variant, which has been in use since October 20, 2023, retains the same core functionality, but includes additional preliminary checks for a specific HTTP authorization header.

Cisco elaborated:

 “The addition of the header check in the implant by the attackers is likely a reactive measure to prevent identification of compromised systems. This header check is primarily used to thwart compromise identification using a previous version of the curl command provided by Talos. Based on the information assessed to date, we believe the addition of header check in the implant likely resulted in a recent sharp decline in visibility of public-facing infected systems.”

Cisco has published a list of IoCs via TalosBlog and revealed that although the implant deployed by threat actors is not persistent and gets removed after device reboot, any high-privilege accounts created remain active.




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments