Researchers have cautioned that hackers have compromised tens of thousands of devices by taking advantage of a Cisco networking software zero-day vulnerability that has not yet been fixed.
In a security advisory released Monday, Cisco warned that hackers were actively taking advantage of a serious weakness in IOS XE. This software runs the company’s line of networking equipment. According to Cisco, the flaw was discovered in the IOS XE online management interface and may be used against a device if it is connected to the internet.
Enterprise switches, wireless controllers, access points, and industrial routers are among the hardware running Cisco IOS XE software that businesses and smaller organizations use to manage their network security.
Using a zero-day vulnerability, which attackers find before the manufacturer can patch it, the problem has been exploited since at least September 18, according to Cisco’s threat intelligence unit Talos in a separate blog post. According to Cisco Talos, successful exploitation gives an attacker “full control of the compromised device,” enabling “possible subsequent unauthorized activity” on the corporate victim’s network.
Cisco has not yet made any remarks on the scope of the exploit. On the other hand, Censys, a search engine for internet-connected assets and devices, reports that as of October 18, it has seen approximately 42,000 hacked Cisco equipment, citing a “sharp increase” in infections compared to the day before.
According to Censys’ study of the issue, the bulk of vulnerable devices are found in the United States, followed by the Philippines and Mexico. According to Censys, the telecommunications firms that provide internet services to both homes and businesses are the targets of hackers.
Smaller companies and people who are more vulnerable are thus the main targets of this weakness rather than big corporations, according to Censys experts.
Zero-day for zero-patch
For the zero-day vulnerability, which has been given the highest severity rating of 10.0, Cisco has not yet made a fix available. Cisco representative Alyssa Martin told TechCrunch that the business is “working non-stop to provide a software fix,” but she did not specify when the patch would be available.
However, Cisco stated in its alert that the zero-day affected both physical and virtual devices running IOS XE software that have the HTTP or HTTPS server capability activated. The exact number of devices that might be exposed is yet unknown. Cisco “strongly” advises clients to turn off the HTTP Server capability on all internet-facing computers without a fix.
Furthermore, it’s not apparent who is abusing the weakness. After seeing the original zero-day exploitation in September, Cisco Talos claimed to have seen activity on October 12 that it believes was carried out by the same attacker. According to Cisco, “the first cluster was possibly the actor’s initial attempt and testing of their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant,”
Cisco advised that after getting access to the device, the attackers used a prior vulnerability, CVE-2021-1435, which Cisco addressed in 2021, to install the implant.
According to the researchers, the implant has also been successfully placed on devices fully patched against CVE-2021-1435, albeit the exact process is unknown.
Cisco advised administrators of possibly hacked devices to quickly examine their networks for intrusion indicators and remove the HTTP Server capability. Federal agencies are being urged by CISA, the U.S. government’s cybersecurity organization, to implement mitigations by October 20.
