Unknown hackers are currently exploiting a newly uncovered Zero-Day vulnerability in Cisco IOS XE.
The security weakness empowers threat actors to gain full control and operate within a company’s software on devices connected to the internet. Cisco disclosed this zero-day flaw on October 16, revealing it in a Security Advisory and providing further information and guidance through a blog post.
The vulnerability, designated as CVE-2023-20198 and bearing a maximum CVSS severity score of 10, is deemed critical. It poses a threat to both physical and virtual devices connected to the internet, running IOS XE with HTTP or HTTPS enabled on the server.
Cisco strongly urges its customers to disable the HTTP Server feature on all internet-exposed systems and to remain vigilant for signs of malicious activity, such as unexplained user account additions. Importantly, there is currently no available security patch for this vulnerability.
CISA ISSUES ALERT:
The Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert about this zero-day vulnerability, incorporating it into the Known Exploited Vulnerabilities (KEV) Catalog. U.S. Federal Civilian Executive Branch government agencies are mandated to implement mitigations by October 20, 2023, as specified by CISA.
Cisco Talos identified potential malicious activities associated with the vulnerability, initially surfacing on September 28 and traced back to September 18 during an extensive investigation. The threat actor’s activities involve the creation of a local user account from an IP address, raising suspicions.
On October 12, another cluster of related activities was detected, involving the establishment of an additional local user account and the deployment of an implant via a configuration file, granting the threat actor the ability to execute arbitrary commands. Cisco Talos believes that these actions likely stem from the same actor, with the October incidents building upon the activities observed in September.
John Gallagher of Viakoo Labs connected this vulnerability to another Cisco IOS and IOS XE vulnerability, CVE-2023-20109, and suggested the potential involvement of other vulnerabilities. Cisco had previously expressed concerns about increased attacks on network infrastructure attributed to state-sponsored espionage groups. Recently, a Chinese-linked threat actor known as BlackTech infiltrated the networks of multinational businesses. John Bambenek of Netenrich noted that this new IOS XE vulnerability could be an ideal tool for such actors to subtly manipulate network traffic.
While Cisco has not released any security updates, users are strongly advised to follow Cisco’s security team’s instructions by disabling HTTP and HTTPS on internet-facing servers.
Please do let us know in the comment section what are your thoughts about this.