Attackers have taken advantage of a critical zero-day vulnerability to compromise and infect thousands of Cisco IOS XE devices. The vulnerability, identified as CVE-2023-20198, has been extensively exploited, particularly targeting Cisco IOS XE routers and switches that have the Web User Interface (Web UI) feature enabled. These devices also had the HTTP or HTTPS Server feature activated. Threat intelligence firm VulnCheck discovered thousands of compromised devices during their scans of internet-facing Cisco IOS XE web interfaces.
The Implications of the Attack
Jacob Baines, CTO of VulnCheck, highlighted the severity of the situation, stating that attackers with privileged access on the IOS XE could potentially monitor network traffic, pivot into protected networks, and execute man-in-the-middle attacks. Organizations using the IOS XE system are urged to check for compromises and take necessary actions. As a preventive measure, disabling the web interface and removing all management interfaces from the internet is recommended.
Cisco’s Response and Recommendations
Cisco has acknowledged the vulnerability, revealing that unauthenticated attackers can exploit the IOS XE zero-day to gain full administrative rights, allowing them to take over affected Cisco routers and switches remotely. The company has advised administrators to disable the vulnerable HTTP server feature on all internet-facing systems until a patch is released. Cisco first detected these attacks in late September, with evidence suggesting that the same actor was behind both the initial and subsequent attacks. The company also recommends administrators to monitor for suspicious or recently created user accounts, which could be indicators of malicious activity related to this threat.
Previous Vulnerabilities
In a related note, Cisco had previously warned its customers in September to patch another zero-day vulnerability, CVE-2023-20109, in its IOS and IOS XE software, which was actively being exploited by attackers.
The Importance of Operational Security (OPSEC)
The recent attacks underscore the significance of operational security (OPSEC) in the workplace. The primary purpose of OPSEC is to protect sensitive information from adversaries, ensuring that organizations can operate safely and efficiently. In the context of these attacks, maintaining good OPSEC practices could help in early detection and mitigation of threats.
Kapil is an experienced content creator with a total experience of 7+ years. His areas of expertise include technology, finance, sports and food.