Hiding the exploit 

A very suspicious twist came to light in the last few days of unwinding the Cisco IOS XE vulnerability when the number of susceptible devices started at 145,000, went to 60,00 detected compromised devices, and then plummeted mysteriously to merely 100-1,200 compromised devices within the short span of a few days. Simply put, we’re not that good at updating – not that fast. Experts now surmise that the threat actors are coordinating to obscure the implants from scanner detection, hinting at a sophisticated level of concealment and potentially ongoing exploitation​​. In a more detailed examination of the exploit, it was observed that the attackers attempted to clear logs and remove user accounts they had created, indicating a methodical effort to erase traces of their activity. This cleanup operation not only highlights the attackers' intent to hide their tracks but also underpins the exploit's utility in facilitating further malicious activities without detection. Bottom line – this may end up taking hands on the keyboard for every internet-facing susceptible device to ensure the threat has been removed. 

Beginnings of a Pivot Campaign 

While initial speculation revolved around mass device reboots erasing the non-persistent Lua implant, the consistent disappearance of implants across devices led to a more ominous hypothesis concerning the Cisco IOS XE vulnerabilities. Threat actors exploited two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, orchestrating an exploit chain to deploy a malicious Lua-based implant on over 50,000 devices initially​​. This implant granted them the highest privilege level (level 15) on the compromised devices, allowing remote execution of commands. The attackers leveraged the exploit to create privileged user accounts, which persisted even after a device reboot, albeit the Lua implant itself did not. However, the established user accounts facilitated a persistent foothold, enabling further exploitation and possibly serving as a pivot point for lateral movement within networks. 

Are your small and medium vendors secure? 

Our larger vendors have teams dedicated to identifying and resolving this risk. What about the small and medium vendors? We’ve found that they are more likely to have less focused cyber teams, and often run equipment past the initial service contract. This can contribute significantly to missed remediation, especially in an exploit that has a concealment campaign. When you join our information campaign, you will be able to see what vendors have already answered questions regarding IOS XE and their current status, but also submit your own vendors to have automated questionnaires and responses processed, aggregated, and reported on their exposure. Don’t spend the next six months chasing vendors to record your risk. We’ll do the leg work to report your risk, and let you focus on what matters most to your business. 

The continuous evolution of this threat narrative underscores the imperative for robust cybersecurity measures and the timely patching of known vulnerabilities. Cisco has already rolled out fixes for these vulnerabilities, urging immediate implementation to thwart potential exploits and curb the lateral spread of threat actors within networks. Make sure taking a holistic approach by including vendor risk management in your response.