Inhalt
Edge infrastructure, such as internet-exposed firewalls, routers, VPN-Gateways etc. are a common initial access target for cybercrime and espionage actors since these appliances are challenging to defend.
According to the vulnerability discovery service LeakIx as many as 30 thousand internet-exposed Cisco devices may already have been compromised through the Zero-Day vulnerability CVE-2023-20198. Internet census providers such as Shodan suggest that there are about 150 000 CISCO IOS XE devices exposed to the internet right now, so any vulnerable appliance out of those that is not compromised yet, will be attacked in the next few minutes, hours, days.
According to the Federal Office for Information Security (BSI) of Germany the threat level is currently rated as level 2 / Yellow, suggesting a possible temporary risk to business operations.
Updates
Visit our Twitter profile (X) for the latest updates!
October 21: Shadowserver has noticed a significant decrease in active implants on the Internet. This was later attributed to changes in the Implant code, evading the current detection mechanism.
October 23: Cisco confirms a second vulnerability(CVE-2023-20273) that allows the implant to be inserted into the “cisco_service.conf” file. Cisco has released a patch for the latest version of IOS XE 17.9. Fox-IT discovered a change in the implant code that was rolled out over the weekend that requires an authentication string, we confirmed a variant of the 404 deception page.
October 28: The SECUINFRA Falcon team has identified a new exploit attempt attributed to the original attacker. We have shared our findings with other network security experts to support the development of new detection mechanisms. Details about the inner workings of the two vulnerabilities are now public, see the blog posts by Horizon3 and LeakIX. With public Proof-of-Concepts the number of exploitation attempts on unpatched appliances is going to increase.
Nov 03: We have captured a third version of the Lua implant, again attributed to the original attacker. They introduced another HTTP header value to restrict access to the Implant and to disrupt fingerprinting of vulnerable appliances again.
What is known so far
The Authentication Bypass vulnerability CVE-2023-20198 is rated with a CVSS V3 score of 10.0 (the highest possible score). It allows an unauthenticated attacker exploiting the web UI feature to access an internal API to e.g. create an administrative account with level 15 privileges (again, the highest possible). With this access an attacker can gain full control of the appliance, meaning all data present on it and the device itself should be treated as fully compromised.
The Webshell / Implant is installed through a command injection vulnerability CVE-2023-20273 in the installAdd
function that is caused through improper input validation of the ipaddress parameter.
In a technical advisory Cisco Talos describes a Lua Webshell/Implant that was inserted into the configuration of affected devices after automated exploitation of the vulnerability. It allows the attackers to issue IOX commands with Privilege-Level 15 and thereby changing arbitrary system configuration settings. The Implant does not persist through a reboot of the appliance.
Figure 1: Lua Webshell/Implant V1 (Source: Cisco Talos)
Below you can see screenshots of the third version of the Implant as captured on November 3rd:
Figure 2: Lua Webshell/Implant V3 (Source: SECUINFRA Falcon Team)
Affected Devices
At the time of writing the Cisco advisory, there is no exact overview of the affected IOS XE versions or devices, only the information that the vulnerability may be present on both physical and virtualized appliances. According to Cisco’s documentation affected products may include enterprise switches, wireless controllers, access points and a broad selection of router products, e.g. from the Catalyst, ASR, CSR, CBR, ISR, IR and NCS series.
Indicators of Compromise
Provided by Cisco
During automated exploitation of Cisco appliances threat actors are currently using the following usernames during the creation of administrative accounts:
The admin panel and system logs of possibly compromised appliances should be reviewed for newly created and unknown user accounts.
There have been two observed systems actively scanning for / exploiting this vulnerability, although this number will likely increase quickly. 5.149.249[.]74 154.53.56[.]231
With the following command (replacing DEVICEIP with the IP address of your appliance) administrators can check for the presence of the implant on the appliance. If a hexadecimal string is returned this may suggest that the device has been compromised already.
Findings from our Honeypots
We are using Honeypots with different Software versions to gauge exploitation activity and to gain insight into attacker TTPs. To contribute to detection and research efforts of the wider cybersecurity community are publishing captured exploitation logs in our Research GitHub repository. Below you can see an overview of our current honeypot infrastructure:
Figure 3: Our current Honeypot setup
Example Logs
Captured IoC
154.53.63[.]93 cisco_support cisco_sys_manager cisco_tac_admin
A comprehensive list can be found in our GitHub repository.
Based on the modus operandi of captured attacks and the used infrastrucure, we were able to cluster certain attacking hosts together:
Figure 4: Overview of attacker infrastructure
Mitigations
For appliances that are reachable (directly) from the internet Cisco recommends to check if the Web Interface is enabled and reachable from the outside interface, which can be done with this command (true positive): Router# show running-config | include ip http server|secure|active
ip http server
ip http secure-server
Should these commands be present with the additional lines – ip http (secure-)active-session-modules none – the vulnerability is not exploitable via HTTP(S).
It is highly recommended to disable the web UI on internet-facing appliances for the time being, at least until a patch is available from Cisco.
To disable the web UI issue the following command in Global Configuration Mode:
no ip http server
no ip http secure-server
How we can help
Do you need support in assessing whether your internet-facing Cisco device has already been compromised? We are happy to assist as soon as possible through a forensic analysis of the network device in question.
Please do not reboot (potentially) affected appliances in case of a pending forensic investigation to preserve evidence in volatile storage.
In case there is clear evidence of an active compromise on the device itself we recommend to isolate it and conduct a compromise assessment of the adjacent environment to make sure that there are no preparations being made for a larger scale attack, e.g. pre-ransomware activity, lateral movement etc.
We are actively researching this exploitation campaign through honeypots and building custom detection rules for adversary TTPs.
Further Resources
Vulncheck Implant-Scanning-Tool