The IT Nerd

The CERT Orange Cyberdefense team (the first private CERT in Europe) noted today more than 34,000 malicious implants in Cisco’s IOS XE.

From the blog post:

We discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco’s Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, we observed what we have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username “cisco_tac_admin” from a suspicious IP address (5.149.249[.]74). Instances of this activity ended on October 1, and we did not observe any other associated behavior at that time other than the suspicious account creation.  

This isn’t good. Corey Sinclair, Cyber Threat Intelligence Analyst, Horizon3.ai had this to say:

   “Cyber threat actors are already exploiting this vulnerability, allowing remote, unauthenticated attackers to create an account with privilege level 15 access on affected systems – potentially gaining full control. This is a significant alert for organizations using Cisco IOS XE devices with the Web UI feature enabled through the IP HTTP server or IP HTTP Secure Server commands. Cisco recommends disabling the HTTP server feature on internet-facing systems to mitigate this vulnerability. 

    “While there is no patch available just yet, it’s highly recommended to keep abreast of any updates or mitigation options from Cisco. And also, when implementing technologies and updating systems, we urge that it’s important that organizations Don’t keep default settings or credentials, and Do regularly do autonomous internal and external pentest operations to find, fix, and verify any weaknesses that can be actively exploited.”

Craig Harber, security evangelist at Open Systems (former US DOD, NSA and USCYBERCOM) had this to say: 

   “Today, Cisco warned its customers of a new zero-day vulnerability impacting the company’s IOS XE software. The warning explains how devices can be exploited locally from the network or from the internet if the targeted device is exposed to the web. Once the device is exploited, the attacker can create accounts with the highest privileges and take full control over the infected device. 

    “Until a patch is available, security teams should immediately disable the HTTP Server feature on their internet-facing systems and use the indicators of compromise provided by Cisco to hunt within their systems for infected devices. Security teams also should consider implementing network segmentation to control access to those vulnerable servers from the internet.”

Cisco has an advisory that you can read here. I would strongly recommend that you read it and take action as there is no patch available for this at present. And you should also consider implementation of these mitigations a today problem.,

This entry was posted on October 19, 2023 at 8:53 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.