Tag Archive for: cisco

Cisco Zero-Day Exploited to Implant Malicious Lua Backdoor on Thousands of Devices

/in


Oct 21, 2023NewsroomZero-Day / Vulnerability

Cisco Zero-Day

Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices.

Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 (CVSS score: 10.0) as part of an exploit chain.

“The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination,” Cisco said in an updated advisory published Friday. “This allowed the user to log in with normal user access.”

Cybersecurity

“The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system,” a shortcoming that has been assigned the identifier CVE-2023-20273.

A Cisco spokesperson told The Hacker News that a fix that covers both vulnerabilities has been identified and will be made available to customers starting October 22, 2023. In the interim, it’s recommended to disable the HTTP server feature.

While Cisco had previously mentioned that a now-patched security flaw in the same software (CVE-2021-1435) had been exploited to install the backdoor, the company assessed the vulnerability to be no longer associated with the activity in light of the discovery of the new zero-day.

“An unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “Specifically, these vulnerabilities allow the actor to create a privileged account that provides complete control over the device.”

Cybersecurity

Successful exploitation of the bugs could allow attackers to gain unfettered remote access to routers and switches, monitor network traffic, inject and redirect network traffic, and use it as a persistent beachhead to the network due to the lack of protection solutions for these devices.

The development comes as more 41,000 Cisco devices running the vulnerable IOS XE software are estimated to have been compromised by threat…

Source…

Cisco IOS XE Hack: Researchers Find Another ‘Sharp Increase’ In Affected Devices

/in


Security News


Kyle Alspach


One of the most serious network device attacks in recent memory continues to widen, according to Censys researchers.

ARTICLE TITLE HERE


Compromises of Cisco IOS XE devices jumped by 8,000 on Wednesday, bringing the total number of affected systems to nearly 42,000, according to the latest data from cybersecurity firm Censys.

There’s no patch available for the critical vulnerability that’s being exploited in the attacks, although Cisco has provided mitigations that it’s said are effective at thwarting the compromises. IOS XE is a widely used Cisco networking software platform, with estimates suggesting that more than 140,000 devices in total are potentially vulnerable.

[Related: Why Cisco IOS XE Attacks Are Setting Off Alarm Bells]

Censys researchers had previously found 34,140 Cisco devices compromised, but on Wednesday said they had “found a sharp increase in infections” with the tally climbing to 41,983.

In response to a CRN inquiry Wednesday, Cisco said it did not have any new information to share.

Cisco said in an advisory Monday that the zero-day privilege escalation vulnerability—which is tracked as CVE-2023-20198—warrants the maximum severity rating, 10.0 out of 10.0.

Exploitation of the critical vulnerability can allow a malicious actor to acquire “full control of the compromised device and [allow] possible subsequent unauthorized activity,” Cisco’s Talos threat intelligence team said in a blog post Monday.

The attacks are one of the most serious network device hacks in recent memory, experts have said.

“The last few weeks have seen their fair share of potential sky-crumbling advisories,” Censys researchers said in a post. Those have included a vulnerability in Exim mail servers, “which amounted to much of nothing,” and an HTTP/2 attack that turned out to have a very narrow impact.

“But this time, Apollo, I think we have a problem,” the Censys researchers wrote, referring to the Cisco IOS…

Source…

Critical, Unpatched Cisco Zero-Day Bug Is Under Active Exploit

/in


Cisco is asking customers to immediately disable the HTTPS Server feature on all of their Internet-facing IOS XE devices to protect against a critical zero-day vulnerability in the Web User Interface of the operating system that an attacker is actively exploiting. 

Cisco IOS XE is the operating system that Cisco uses for its next-generation enterprise networking gear.

The flaw, assigned as CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled. No patch or other workaround is currently available for the flaw, which Cisco described as a privilege escalation issue that enables complete device takeover. Cisco has assigned the vulnerability a maximum possible severity rating of 10 out of 10 on the CVSS scale.

CVE-2023-20198: Maximum-Severity Flaw

“The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access,” Cisco said in an advisory on Oct. 16 on the new zero-day bug. “The attacker can then use that account to gain control of the affected system.” Privilege level 15 on a Cisco IOS system basically means having complete access to all commands including those for reloading the system and making configuration changes.

An unknown attacker has been exploiting the flaw, to access Cisco, Internet-facing IOS XE devices and drop a Lua-language implant that facilitates arbitrary command execution on affected systems. To drop the implant the threat actor has been leveraging another flaw — CVE-2021-1435 — a medium severity command injection vulnerability in the Web UI component of IOS XE, that Cisco patched in 2021. The threat actor has been able to deliver the implant successfully even on devices that are fully patched against CVE-2021-1435 via an as yet undetermined mechanism, Cisco Talos researchers said in an a separate advisory.

Cisco said it first got wind of the new vulnerability when responding to an incident involving unusual behavior on a customer device on Sept. 28. The company’s subsequent investigation showed that malicious activity related to the vulnerability actually may have begun as early as Sept. 18. That first incident ended with the attacker leveraging the flaw to create…

Source…

Qakbot hackers now pushing Cyclops/Ransom Knight ransomware, Cisco says

/in


The hackers behind the Qakbot malware have shifted their focus to distributing ransomware, according to security researchers.

The report comes just weeks after law enforcement agencies in the U.S., France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia joined forces to take down Qakbot — one of the most prolific and longest-running botnets.

The agencies not only shut down Qakbot’s computer infrastructure but also proactively removed the malware from infected devices.

On Thursday, researchers from Cisco Talos said that even though the Qakbot malware infrastructure was dismantled, the hackers behind it have been able to keep their distribution tools intact, now using them to spread variants of the Cyclops/Ransom Knight ransomware as well as backdoor malware.

The researchers said the malicious files’ names indicate that the ransomware is being distributed using phishing emails, matching tactics used in past Qakbot campaigns. Some file names are written in Italian, leading Cisco Talos researchers to believe that people in Europe are being targeted.

“The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails,” they said.

“Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.”

When examining the metadata of the malicious files, the researchers got information about the machines used and said it matched those used in previous Qakbot campaigns.

They warned that Qakbot is “likely continue to pose a significant threat moving forward, as the developers were not arrested and Talos assesses they are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure.”

Never completely gone

The August operation against Qakbot involved the seizure of infrastructure and cryptocurrency assets used by the group. But almost immediately, experts…

Source…