Norway issues warning after ‘important businesses’ affected by Cisco zero-days

The head of Norway’s National Security Authority (NSM) warned on Monday that the exploitation of two recently disclosed Cisco vulnerabilities has resulted in “important businesses” in the country being compromised by hackers.

Speaking to Norwegian newspaper Dagens Næringsliv, NSM chief Sofie Nystrøm said her agency was coordinating the national response to the pair of zero-day vulnerabilities affecting Cisco IOS XE.

Nystrøm declined to identify the businesses that had been affected beyond describing them as important and saying some provided community services. Her agency did not provide a count of how many organizations in the country had been hacked, nor whether any of them were in the public sector.

The situation was “very serious” Nystrøm said, before describing the attack as “more potent” than an incident this summer affecting DSS, Norway’s government support agency, that led to hackers accessing the data of a dozen government ministries.

In two recent security advisories, the first published on October 16, the networking technology giant Cisco revealed that attackers were actively exploiting two vulnerabilities (CVE-2023-20198 and CVE-2023-20273), the first of which received the highest possible score under the Common Vulnerability Scoring System of 10/10.

Cisco said it had observed attacks exploiting these as early as September 28. The company provided an initial patch on Sunday, October 22, to remediate the issue.

The company’s Talos Intelligence team said it had observed a threat actor accessing customers’ systems using CVE-2023-20198 and subsequently deploying an implant. In the days following Cisco’s initial security advisory, several security companies said they found up to 40,000 devices online that appeared to be compromised.

After this initial technique to identify the implant circulated, the attackers subsequently updated their malicious code to avoid being detected, and the count of compromised systems that were externally observable dropped.

Although the Talos team said that the implant was not able to persist after a device reboot, it warned that the attackers were also creating new local user accounts with administrator privileges. “Organizations should look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat,” the security team warned.

NSM has been aware of the vulnerability "for some time," said Deputy Director Gullik Gundersen.

"The scope of the damage when the vulnerability is exploited is large since the severity of this vulnerability is rated as critical. An attacker can create a user that achieves complete control over the affected system," Gundersen said.

Businesses that use Cisco IOS XE should update their systems immediately, he said.

"There have been cases of active exploitation of the vulnerability abroad, and in Norway," Gundersen said. "This is still an ongoing incident, and NSM is working to map affected businesses."