The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods.
“Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check,” NCC Group’s Fox-IT team said. “Thus, for a lot of devices, the implant is still active, but now only responds if the correct Authorization HTTP header is set.”
The attacks entail fashioning CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) into an exploit chain that grants the threat actor the ability to gain access to the devices, create a privileged account, and ultimately deploy a Lua-based implant on the devices.
The development comes as Cisco began rolling out security updates to address the issues, with more updates to come at an as-yet-undisclosed date.
The exact identity of the threat actor behind the campaign is currently not known, although the number of affected devices is estimated to be in the thousands, based on data shared by VulnCheck and attack surface management company Censys.
“The infections look like mass hacks,” Mark Ellzey, Senior Security Researcher at Censys, told The Hacker News. “There may be a time when the hackers go through what they have and figure out if anything is worth anything.”
However, the number of compromised devices plummeted over the past few days, declining from roughly 40,000 to a few hundred, leading to speculations that there may have been some under-the-hood changes to hide its presence.
The latest alterations to the implant discovered by Fox-IT explain the reason for the sudden and dramatic drop, as more than 37,000 devices have been observed to be still compromised with the implant.
Cisco, for its part, has confirmed the behavioral change in its updated advisories, sharing a curl command that can be issued from a workstation to check for the presence of the implant on the devices –
curl -k -H “Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb” -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1”
“If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present,” Cisco noted.
“The addition of the header check in the implant by the attackers is likely a reactive measure to prevent identification of compromised systems,” the company added. “This header check is primarily used to thwart compromise identification, [and] likely resulted in a recent sharp decline in visibility of public-facing infected systems.”