40,000 Cisco IOS devices infected

Over 40,000 Cisco devices using the IOS XE operating system have been compromised due to the exploitation of CVE-2023-20198, a recently disclosed critical vulnerability. Regrettably, there are no available patches or workarounds at this time. To secure affected devices, the recommended action is to disable the HTTP Server feature on all internet-facing systems.

HUNDRED THOUSAND CISCO DEVICES ATTACKED

Mirza

10/24/20232 min read

Over 40,000 Cisco devices using the IOS XE operating system have been compromised due to the exploitation of CVE-2023-20198, a recently disclosed critical vulnerability. Regrettably, there are no available patches or workarounds at this time. To secure affected devices, the recommended action is to disable the HTTP Server feature on all internet-facing systems.

These compromised Cisco devices encompass a range of networking equipment, including enterprise switches, industrial routers, access points, wireless controllers, aggregation devices, and branch routers.

Initial estimates of the compromised devices stood at approximately 10,000, but this number has increased as security researchers conducted more extensive internet scans to pinpoint the exact figure.

On Tuesday, the LeakIX engine for indexing exposed services and web applications reported the discovery of around 30,000 infected devices, excluding those that had been rebooted. This scan relied on Cisco's provided indicators of compromise (IoCs) to identify successful exploitation, revealing numerous infected hosts in the United States, the Philippines, and Chile.

Concurrently, the private CERT from Orange disclosed on Wednesday that more than 34,500 Cisco IOS XE IP addresses exhibited a malicious implant, stemming from the exploitation of CVE-2023-20198. CERT Orange also released a Python script to scan for this implant on network devices running Cisco IOS XE.

In an update on October 18, the Censys platform reported an increase in compromised devices to 41,983. However, pinpointing the precise number of publicly accessible Cisco IOS XE devices is challenging. Shodan reveals a total of just over 145,000 hosts, with the majority in the United States.

Security researcher Yutaka Sejiyama found close to 90,000 Cisco IOS XE devices exposed on the web through Shodan scans. Notably, a significant portion of these devices belongs to communication providers and a diverse range of institutions, including medical centers, universities, law enforcement agencies, schools, convenience stores, banks, hospitals, and government entities.

To mitigate these vulnerabilities, experts emphasize the importance of not exposing the IOS XE login screen to the public internet. Many organizations may be unaware of these risks, making it crucial to follow recommended security practices.

Despite the removal of the malicious implant following a device reboot, newly created accounts retain full administrator privileges. Threat actors continue their activity by collecting device details, conducting reconnaissance, and clearing logs.

While it is believed that a single threat actor is behind these attacks, the initial delivery mechanism remains undetermined. Cisco has pledged to provide further information as its investigation progresses and when a fix becomes available.

Whether you have a request, a query, or want to work with us, use the form below to get in touch with our team.