The backdoor infiltrated Cisco devices by exploiting two zero-day flaws in IOS XE software has been altered by the threat actor to evade detection through previous fingerprinting techniques.
“Examination of network traffic directed to a compromised device has revealed that the threat actor has enhanced the implant with an additional header check,” reported NCC Group’s Fox-IT team. “As a result, for many devices, the implant remains operational, but it now exclusively responds when the correct Authorization HTTP header is in place.”
The attacks involve crafting CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) into an exploit chain. This chain provides the threat actor with the capability to access the devices, establish a privileged account, and subsequently deploy a Lua-based implant on these devices.
This development coincides with Cisco’s initiation of the rollout of security updates to resolve these issues, with additional updates scheduled for a yet-to-be-disclosed date.
The precise identity of the threat actor orchestrating the campaign remains unknown at present. However, an estimated count of affected devices, potentially reaching into the thousands, is based on data shared by VulnCheck and attack surface management company Censys.
“The infections appear to be widespread breaches,” noted Mark Ellzey, Senior Security Researcher at Censys, in a statement to The Hacker News. “It’s possible that the hackers will sift through their findings at some point to determine the value of the compromised data.”
Nonetheless, the count of compromised devices drastically dropped in recent days, going from about 40,000 to just a few hundred. This has led to conjecture that there might have been concealed modifications to evade detection.
Fox-IT’s recent findings shed light on the abrupt decrease, with over 37,000 devices still confirmed to be compromised by the implant.
Cisco, on their end, has acknowledged the behavioral shift in their updated advisories. They’ve also provided a curl command that can be executed from a workstation to verify the presence of the implant on the devices.
Cisco stated, “The presence of the implant can be determined if the request returns a hexadecimal string, such as 0123456789abcdef01.”