It was a spectacular operation: the security specialists at SECUINFRA caught attackers exploiting vulnerabilities in the IOS XE operating system. About two weeks ago, the SECUINFRA Falcon team published a technical advisory on the threat posed by two new vulnerabilities in Cisco appliances affecting thousands of Internet-exposed devices.
To gain an insight into the attackers’ modus operandi and how the vulnerabilities work, the security experts have set up several honeypots (intentionally vulnerable systems) to capture these details. The Falcon team at SECUINFRA has published a GitHub repository to share relevant log files and other findings with the TLP:CLEAR classification with the community. In addition, current Indicators of Compromise and further details are communicated via X (formerly Twitter) and Mastodon.
On October 28, the security experts were able to record a packet capture of an attack on two of their honeypots that contained information about the authentication bypass vulnerability CVE-2023-20198. SECUINFRA shares this information under the TLP:AMBER classification with reputable researchers in the cybersecurity community to improve detection mechanisms for this vulnerability. The SECUINFRA team would like to thank the following organizations for their cooperation in this case: Emerging Threats Labs, Corelight, Microsoft, Netresec, Nozomi Networks, Vulncheck, DIVD and LeakIX.
In addition, Horizon3.ai published a blog post about the inner workings of said vulnerability after the information we shared about X confirmed their previous hypothesis. This proof-of-concept was reported on by several cybersecurity news portals, such as BleepingComputer and Heise.
SECUINFRA is open to cooperation in future cases of this kind. If you are interested, send the security experts a message! The SECUINFRA FalconTeam publishes the latest research on the topic on X (formerly Twitter) and Mastodon.