On Monday 16 October, Cisco reported a critical zer-day vulnerability in the web UI feature of its IOS XE software actively being exploited by threat actors to install Remote Access Tools (RATs) & backdoor vulnerable devices exposed on the internet.

The vulnerability, identified as CVE-2023-20198 enables an attacker without authentication to create a highly privileged account on the affected network device in order to gain full control and execute arbitrary commands.

On Tuesday 17 October, researchers at VulnCheck performed an internet scan and identified 10,000+ compromised Cisco IOS XE systems that had been implanted with the unidentified threat actors(s) RAT.

Attackers with this type of unfettered remote access to a network device could take the following actions with associated impacts:

  • monitor network traffic – eavesdropping on privileged network communications.
  • inject & redirect network traffic – exposing the enterprise to man-in-the-middle attacks.
  • breach protected network segments.
  • utilize it as a persistent beachhead to the network as there is a lack of detection / protection solutions for these devices and they can often go overlooked during patch cycles until a disruption to user activity is noticed.

Immediate measures – Organizations are strongly advised to disable the web UI (HTTP Server) component on all internet-facing systems immediately.

This can be done using the “no ip http server” or “no ip http secure-server” commands in the global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature. It’s also recommended to avoid exposing the web UI and management services to the internet or to untrusted networks.

Long-term Strategy

While disabling the web UI component and limiting internet exposure reduces risk from known attack vectors, it does not mitigate the risk from RATs that might have already been deployed on vulnerable systems. It’s crucial to invoke incident response procedures to prioritize hunting for indicators of compromise as they are published…

Down the Road

Cisco has yet to release a patch for CVE- 2023-20198. Additionally, Cisco observed the threat actor(s) using 2 different techniques to install the RAT once the device has been compromised:

  • Exploiting CVE-2021-1435, patched in 2021

  • On fully patched devices – “through an as of yet undetermined mechanism”.

Test drive NodeZero here…

Follow our LinkedIn page for daily Cyber Security updates

Soil Solutions LinkedIn