Cisco has revealed more information on the speculation surrounding a sudden decline in the number of hosts that were known to be infected with a malware implant delivered through two zero-day vulnerabilities in its IOS XE software platform.
Last week, threat researchers discovered that many tens of thousands of hosts had been compromised, but over the weekend these figures dropped significantly.
This prompted extensive discussions in the security community regarding whether the unidentified threat actor responsible for the intrusions was taking steps to conceal their activities in some way, or if they had made a mistake in their operation.
In an update released on Monday, October 23, Cisco’s Talos research unit reported that it had now observed a second version of the malicious implant – deployed using the initial version – which maintains most of the same functionality but now includes a preliminary check for an HTTP authorisation header.
The Talos team explained that “The addition of the header check in the implant by the attackers is likely a reactive measure to prevent identification of compromised systems.”
“This header check is primarily used to hinder compromise identification using a previous version of the curl command provided by Talos. Based on the current information, we believe that incorporating the header check in the implant has likely resulted in a recent sharp decline in public-facing infected systems.”
The team added, “We have updated the curl command provided under our guidance advisory to facilitate the identification of implant variants using the HTTP header checks.”
Cisco continues to recommend that IOS XE users promptly follow its previously-published guidance, which remains unchanged, and apply the fixes outlined in its advisory, which was released on October 22.
In the meantime, the UK’s National Cyber Security Centre (NCSC) confirmed on October 23 that it was assisting several UK-based organizations known to have been affected and was closely monitoring the evolving impact of the issues.
The NCSC recommends following Cisco’s advice, with a particular emphasis on four priority actions:
- Check for compromise using the detection methods and indicators of compromise (IoCs) from Cisco;
- If affected (and based in the UK), report the incident to the NCSC immediately;
- Disable the HTTP server feature or limit access to trusted networks on all internet-facing devices;
- Upgrade to the latest version of Cisco IOS XE.
Network devices becoming popular targets
Jamie Brummell, chief technology officer at managed security services provider (MSSP) Socura, stated that the targeting of Cisco appliances by malicious actors reflects wider trends and themes in the threat landscape.
“The Cisco zero-day continues the trend of threat actors aiming for network appliances as alternatives to end-user devices. They are compelled to explore alternatives to computers, smartphones, and other employee devices, which are increasingly protected by EDR/EPP agents,” he explained.
“Network appliances, once exploited, are generally unprotected, and their system logs are rarely monitored. They are often publicly accessible and have privileged access to the internal network. To make matters worse, especially with a router, they can be exploited to intercept or redirect traffic.
“Targeting a major company like Cisco could grant attackers access to tens of thousands of endpoints. It is good practice to ensure that access is restricted to trusted sources, but in this case, the exploitable web interface is enabled by default,” he added.
Brought to you by News Live Updates