iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A recently announced flaw in Cisco’s IOS XE operating system is being rapidly taken advantage of, according to multiple security experts.
Cisco revealed the flaw earlier this week on 16 October – a vulnerability in its IOS XE web interface, used in “a significant number of devices”, according to researchers at Rapid7 – and is currently working on a patch.
The company clearly needs to work at pace, too, because since then, a number of researchers have sounded the alarm over widespread exploitation of the vulnerability, technically named CVE-2023-20198, which allows potential attacks to create a highly privileged user account.
“There appear to be a significant number of devices running IOS XE on the public internet as of October 17,” Rapid7’s Caitlin Condon wrote in a 17 October blog post. “Estimates of internet-exposed devices running IOS XE vary, but the attack surface area does appear to be relatively large; one estimate puts the exposed device population at 140K+.”
Jacob Baines, chief technical officer at VulnCheck, was similarly alarmed at the scope of the flaw.
“This is a bad situation,” Baines said in his own blog post on the same day, “as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.”
In an 18 October post on Twitter-alternative Mastodon, a security researcher for LeakIX has made a tentative count of actively compromised servers.
“Whatever you were thinking about CVE-2023-20198 it’s 100x worse,” the post said. “We used Talos Security IOC check and found ~30k implants.”
“That’s 30k devices infected (routers, switches, VPNs), under the control of threat actors.”
Of those devices scanned, most are in the US, with over 4,600 devices under malicious control. The top 10 impacted countries include the Philippines and Chile; Australia ranks at number eight, with 922 infected devices as of LeakIX’s check for indicators of compromise.
Palo Alto’s Unit 42 stakes the number of compromised machines a little lower, at a mere “22,074 implanted IOS XE devices since at least 18 October 2023”.
Regardless of the actual number, Unit 42’s advice for impacted Cisco customers is stark.
“A non-persistent implant based on the Lua programming language has been observed in use alongside this vulnerability,” Unit 42 said in a blog post of its own. “The web server must be restarted for the implant to become active, according to Cisco Threat Intelligence.”
“Based on the amount of publicly available information, along with our own analysis, Palo Alto Networks recommends following Cisco’s recommendations immediately,” Unit 42 said.
“For all potentially impacted organisations, we also recommend reviewing your systems for signs of a backdoor implant installation and new user account creation.”
The Australian Cyber Security Centre issued a critical alert over the flaw earlier this week.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
