Attackers are actively exploiting vulnerable Cisco software to primarily target telecommunications companies, researchers say.
The post Unknown attacker breaches tens of thousands of Cisco devices appeared first on CyberScoop.
Tens of thousands of physical and virtual devices running Cisco networking software have been compromised as the result of a yet-unpatched vulnerability, according to multiple independent researchers.
Cisco issued a security advisory Monday warning of “active exploitation” of its IOS XE software but did not share details on the scale of the issue. Successful exploitation of the vulnerability would grant an attacker “full control of the compromised device” and allow “possible subsequent unauthorized activity,” the Cisco’s Talos threat intelligence group said in the alert.
The previously unknown vulnerability has been designated CVE-2023-20198.
By Tuesday, using indicators shared by Talos, researchers began to quantify the scale of compromised devices. Jacob Baines, the chief technical officer with VulnCheck, wrote that Cisco’s blog post “buried the lede by not mentioning thousands of internet-facing IOS XE web interfaces have been implanted.”
Later in the day, researchers with Censys reported observing 34,140 devices “that appear to have the backdoor installed.” Censys’ data pointed to tens of thousands of compromised devices around the world, the majority of which are in the U.S.
An analysis of the autonomous systems associated with the device IP addresses, which offers indications of the types of organizations involved, suggests “they predominantly represent telecommunications companies offering internet services to both households and businesses,” the Censys researchers reported.
A Cisco spokesperson told CyberScoop late Tuesday that the company is “working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory.”
Cisco became aware of the issue on Sept. 28, when it was reported to the company’s Technical Assistance Center, according to the Talos blog. An analysis showed that “related activity” began as early as September 18.
It’s not clear who is behind the compromises, but they “were likely carried out by the same actor,” the Talos blog read.
The attackers leveraged a previous vulnerability, CVE-2021-1435, which Cisco patched in 2021, to install the implant after gaining access to the device, according to Talos. “We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as of yet undetermined mechanism.”
The post Unknown attacker breaches tens of thousands of Cisco devices appeared first on CyberScoop.
Source: CyberScoop
Source Link: https://cyberscoop.com/cisco-devices-breach-ios-xe/