Table of Contents
Cisco Devices Hacked via Zero-Day Vulnerabilities
Unseen attackers have been exploiting zero-day vulnerabilities in Cisco IOS XE, a Linux-based operating system commonly used on Cisco routers and wireless controllers, to hack into devices and establish control. The vulnerabilities offer the hackers an opportunity to infiltrate systems and compromise their inner workings. This type of attack that takes advantage of a software hole before the producer or general public are aware of the vulnerability is known as a zero-day attack, making it harder to anticipate and guard against.
High-Privileged Accounts Created on Affected Devices
Once the hackers have gained access to a Cisco device by exploiting the zero-day vulnerability, they proceed to create high-privileged user accounts. These accounts allow them to have almost unrestricted access to the compromised device. With such access, the hackers can modify, control, or even delete system files freely, resulting in severe damage to the targeted organisation and its network infrastructure. The creation of such high-privileged accounts is part of the infiltration strategy, making it more challenging to identify and eliminate the threat.
Deployment of Lua-Based Backdoor Implant
After securing access to the compromised device and establishing high-privileged accounts, hackers deploy a Lua-based backdoor implant. Lua is a high-level, multi-paradigm programming language that is popular for its easy embeddability, portability, and extensibility. The backdoor implant is stealthy software that opens a "back door" on the compromised device, allowing the attacker to control the system remotely at will. This implant provides the hackers with complete control over the system, enabling them to siphon off data, manipulate services, and possibly extend their control to other connected systems.
Updates and Modifications to the Implant
In response to increasing cybersecurity efforts aimed at identifying and eliminating the Lua-based backdoor implant, hackers have updated their technique. This update has led to a temporary drop in the number of identified compromised devices, suggesting that the modification has made it more challenging for researchers to detect the infiltration.
Significant Drop in Number of Compromised Devices Due to Implant Update
Following the update to the implant, security researchers observed a substantial decrease in detected compromised Cisco devices. Initially, over 40,000 devices were identified as having been infiltrated. However, this number dropped drastically after the hackers updated their implant, which rendered the initial scanning method ineffective. This change demonstrates the hackers' adaptability and their resolve to evade detection efforts.
New Variant of Implant Hinders Identification of Compromised Systems
The updated implant presents a new variant that thwarts the identification of compromised systems. The attackers made modifications to the implant, enabling it to check for a specific authorization HTTP header. Without the exact value set, the implant becomes virtually indistinguishable from uncompromised devices, further hindering detection.
Addition of HTTP Authorization Header Check to Prevent Identification
This innovation underpins the hackers' strategy to maintain their foothold on the compromised devices. By checking for a specific authentication HTTP header, the implant can effectively hide its presence unless the correct header value is identified. This addition and the resultant changes in the detection process have made it even more challenging for cybersecurity experts to locate and neutralize these compromised devices.
Efforts to Identify and Patch Vulnerabilities
Cisco, alongside cybersecurity agencies and research organizations, has been working tirelessly to detect and nullify the threats posed by these zero-day vulnerabilities and the resultant hacking incidents. The efforts include the formulation and implementation of patches for the identified vulnerabilities and the sharing of IoCs and other vital cybersecurity information.
Patches Now Available for Both Vulnerabilities
Following the identification of the two vulnerabilities facilitating the hacks, patches have now been created and deployed. These patches aim to rectify the vulnerabilities and shield Cisco devices from similar attacks in the future. Organizations are encouraged to apply these patches as soon as possible to protect their devices from potential compromise.
Cisco Shares Indicators of Compromise (IoCs) and Device Check Instructions
To aid the global cybersecurity community in identifying and dealing with these unknown threats, Cisco has shared indicators of compromise and instructions for checking devices. These IoCs provide valuable information on the particular aspects of the system susceptible to being hacked, facilitating a more targeted and efficient cybersecurity response.
Fox-IT Identifies Nearly 38,000 Cisco Devices Still Hosting the Implant
Even with the concerted efforts and strategies put in place, the threat persists. Fox-IT, a cybersecurity firm, has reported that nearly 38,000 Cisco devices across the world are still hosting the malicious implant. It indicates an ongoing risk, underscoring the importance of constant vigilance, timely patch implementation, and routine system checks.
Implications and Post-Hack Actions
Beyond the immediate aftermath of the hack, several challenges persist. These include the resilience of the high-privileged accounts created by the hackers and the ongoing control of numerous devices. It has prompted a series of actions geared towards understanding and mitigating the impact of this large-scale cyber attack.
High-Privileged Account Continues to Exist on Device Post-Reboot
A significant implication of this attack is the persistence of the high-privileged accounts created by the hackers even after a device reboot. This means the hackers can potentially retain control of the devices even when the devices are reset, posing a lingering threat to the integrity of the compromised systems.
Thousands of Devices Still Under Attackers’ Control According to VulnCheck
According to VulnCheck, there still exist thousands of Cisco devices that are under the control of the anonymous hackers. With these devices, the hackers can manipulate data, disrupt services, and pose severe security and business risks to the organisations that own them. This ongoing control underscores the magnitude of the situation and the need for robust cybersecurity measures.
Ongoing Efforts to Understand and Mitigate the Impact of This Cyber Attack
Efforts are ongoing to fully comprehend and mitigate the impact of this attack. Cisco, alongside other cybersecurity agencies and researchers, continue to investigate the incident, develop patches for existing vulnerabilities, and devise strategies to secure affected devices. It remains crucial for organisations to apply patches promptly and stay abreast of the latest cybersecurity developments to protect their systems.
