Hackers update Cisco IOS XE backdoor to hide infected devices

10/23/23 update added astatine nan extremity explaining nan origin of decreased detections.

The number of Cisco IOS XE devices detected pinch a malicious backdoor implant has plummeted from complete 50,000 impacted devices to only a fewer 100 aft nan attackers updated nan backdoor to hide infected systems from scans.

This week, Cisco warned that hackers exploited two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, to hack complete 50,000 Cisco IOS XE devices to create privileged personification accounts and instal a malicious LUA backdoor implant.

This LUA implant allows nan threat actors to remotely execute commands astatine privilege level 15, nan highest privilege level connected nan device.

However, this implant does not see persistence, meaning a reboot will region nan backdoor. However, immoderate section users created during nan onslaught will remain.

Since nan merchandise of this news, cybersecurity firms and researchers person recovered astir 60,000 retired of nan 80,000 publically exposed Cisco ISO XE devices to beryllium breached pinch this implant.

Mysterious driblet successful detected Cisco implants

On Saturday, aggregate cybersecurity organizations reported that nan number of Cisco IOS XE devices pinch a malicious implant has mysteriously dropped from astir 60,000 devices to only 100-1,200, depending connected nan different scans.

Onyphe Founder & CTO Patrice Auffret told BleepingComputer that he believes nan threat actors down nan attacks are deploying an update to hide their presence, frankincense causing nan implants to beryllium nary longer seen successful scans.

"For nan 2nd time successful a row, we spot nan number of implants person drastically dropped successful a short clip (see screenshots attached). Basically, they look to person been practically each rebooted (as nan known implant doesn't past a reboot) aliases person been updated."

"We judge it is nan action from nan original threat character which is trying to hole an rumor that should not person been location from nan beginning. The truth that nan implant was truthful easy to observe remotely was a correction from their side.

"They are astir apt deploying an update to hide their presence."

Piotr Kijewski, the CEO of The Shadowserver Foundation, besides told BleepingComputer that they person seen a crisp driblet successful implants since 10/21, pinch their scans only seeing 107 devices pinch nan malicious implant.

"The implant appears to person been either removed aliases updated successful immoderate way," Kijewski told BleepingComputer via email.

Number of Cisco IOS XE devices pinch malicious implant
Source: ShadowServer

Another mentation shared is that a grey-hat hacker is automating nan reboot of impacted Cisco IOS XE devices to clear nan implant. A similar run was seen successful 2018 erstwhile a hacker claimed to person patched 100,000 MikroTik routers truthful they could not beryllium abused for cryptojacking and DDoS campaigns.

However, Orange Cyberdefense CERT for nan Orange Group told BleepingComputer that they do not judge that a grey-hat hacker is down nan alteration successful implants but alternatively that this could beryllium a caller exploitation phase.

"Please statement that a imaginable trace cleaning measurement is underway to hide nan implant (following exploitation of #CVE-2023-20198),"  tweeted Orange Cyberdefense CERT.

"Even if you person abnormal your WebUI, we urge that you transportation retired an investigation to make judge that nary malicious users has been added and that its configuration has not been altered."

Finally, security interrogator Daniel Card theorized that nan galore devices breached pinch implants were simply a decoy to hide nan existent targets successful attacks.

Unfortunately, astatine nan time, each we person are theories arsenic to what caused nan reduced detections.

Update 10/23/23: Today, cybersecurity patient Fox-IT explained that nan origin of nan abrupt driblet of detected implants is owed to nan threat actors rolling retired a caller type of nan backdoor connected Cisco IOS XE devices.

According to Fox-IT nan caller implant type now checks for an Authorization HTTP header earlier responding. 

"We person observed that nan implant placed connected tens of thousands of Cisco devices has been altered to cheque for an Authorization HTTP header worth earlier responding," sounds the LinkedIn post.

As nan erstwhile scan methods did not utilize an authorization header, location was nary consequence from nan implant, making it look arsenic if it had been removed.

Cisco Talos confirmed nan alteration successful updated advisories [1, 2], sharing a caller curl bid that tin observe nan implant connected backdoored Cisco ISO XE devices.

This bid is nan aforesaid arsenic nan antecedently shared method but now includes an 'Authorization' header to origin nan implant to respond to requests:

The DEVICEIP placeholder should beryllium replaced pinch nan device's IP reside you want to cheque for nan implant.

Once nan researchers switched to utilizing nan caller 'Authorization' header, scans showed that location are now 37,890 Cisco ISO XE devices infected pinch nan malicious backdoor implant.