Cisco: Hackers targeting zero-day found in internet-exposed routers

Cisco warned on Monday that hackers are targeting a line of its software through a previously unknown vulnerability.

In addition to releasing an advisory about the issue — which is tracked as CVE-2023-20198 —- the company’s Talos security team published a report outlining how it discovered the critical vulnerability.

The vulnerability carries the highest severity CVSS score possible of 10 and Cisco said it would “grant an attacker full administrator privileges, allowing them to effectively take full control of the affected router and allowing possible subsequent unauthorized activity.”

CVE-2023-20198 was found in a feature of Cisco IOS XE software and affects both physical and virtual devices running the software. The feature, called Web UI, is meant to simplify deployment, manageability and user experience.

To address the issue, Cisco urged customers to disable the HTTP Server feature on all internet-facing systems and noted that the Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly issued the same advice for mitigating the risks associated with internet-exposed management interfaces. CISA released its own warning about the vulnerability on Monday.

There is no workaround to resolve the issue and no patch available yet.

Through the vulnerability, hackers are able to create an account on the affected device and gain full control of it.

The vulnerability was found during the resolution of multiple Cisco Technical Assistance Center support cases where customers were hacked. The first situation was discovered on September 28. After an investigation, Cisco researchers said it found activity related to the bug dating back to September 18.

Cisco Talos Incident Response teams saw activity related to the issue last Thursday and released the advisory on Monday. The company said it has dealt with a “very small number of cases out of our normal substantial daily case volume.”

“We assess that these clusters of activity were likely carried out by the same actor. Both clusters appeared close together, with the October activity appearing to build off the September activity,” they said.

“The first cluster was possibly the actor’s initial attempt at testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant.”

After exploiting the new vulnerability, the hackers turned to a two-year-old bug —- CVE-2021-1435 —- which allowed them to install an implant on the affected device. They noted that even devices patched against the old vulnerability had implants installed “through an as of yet undetermined mechanism.”

Users of products with the software should be on the lookout for “unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat.”

Several researchers, including Viakoo Labs Vice President John Gallagher, tied the vulnerability to another affecting the same software that was announced on October 2.

Gallagher explained that the vulnerability is a reminder that administrators “need detailed information on their systems in cases like this where there is no patch available.”

Mayuresh Dani, manager of threat research at Qualys, noted that Cisco did not provide a list of affected devices, meaning any switch, router or wireless LAN controller running IOS XE with the web user interface (UI) exposed to the internet is vulnerable.

“Based on my searches using Shodan, there are about 40,000 Cisco devices that have web UI exposed to the internet,” Dani said, reiterating Cisco’s advice that users should make sure devices are not exposed to the internet or disable the web UI component on these devices.