close
close

Hackers Exploit Zero-Day Flaw to Compromise Tens of Thousands of Cisco Devices

Posted on by darion

Researchers warn that hackers exploited an unpatched zero-day flaw in Cisco network software to compromise tens of thousands of devices.

On Monday, Cisco issued an advisory warning that hackers were actively exploiting a critical security flaw in IOS XE, the software that powers the company’s entire line of network devices. Cisco said the bug was discovered in the IOS XE web-based administration interface and could be exploited when a compromised device connects to the internet.

The list of Cisco IOS XE devices includes enterprise switches, wireless controllers, access points, and industrial routers that corporations and smaller organizations use to manage their network security.

In a separate blog post, Cisco’s Talos Threat Intelligence division said as yet unidentified attackers have been exploiting the flaw — known as a zero-day, a type of vulnerability discovered by attackers before the vendor could patch it — since at least Sept. 18. Cisco Talos said successful exploitation gives the attacker “full control over the infected device,” enabling “possible subsequent unauthorized activity” on the victim’s corporate network.

Cisco has not yet commented on the scale of the attack.

However, Censys, a search engine for internet-connected devices and resources, says it has seen nearly 42,000 compromised Cisco devices as of October 18, noting a “sharp increase” in infections compared to the previous day.

In its analysis of the vulnerability, Censys says that most of the infected devices are located in the United States, followed by the Philippines and Mexico. Censys says that hackers are targeting telecommunications companies that offer internet services to both homes and businesses.

“As a result, the primary targets of this vulnerability are not large corporations but smaller entities and individuals that are more susceptible,” Censys researchers said.

No fix for zero day

Cisco has not yet released a patch for the zero-day vulnerability, which has a maximum severity rating of 10.0. Cisco spokeswoman Alyssa Martin, representing the company through an outside agency, told TechCrunch that the company is “continuously working to provide a software fix,” but declined to say when a patch would be available.

It’s not yet known how many devices are potentially vulnerable, but Cisco said in its advisory that the zero-day attack affects both physical and virtual devices running IOS XE software that have the HTTP or HTTPS server feature enabled. Instead of a patch, Cisco “strongly” recommends customers disable the HTTP server feature on all internet-facing systems.

It is also unclear who is exploiting this vulnerability. Cisco Talos said that after discovering the initial zero-day use in September, it observed activity on October 12 that it believed was carried out by the same entity. “The first cluster was likely an initial attempt by the actor to test its code, while the October activity appears to show that the actor has expanded its efforts to establish persistent access by deploying an implant,” Cisco says.

Cisco warned that as-yet-unidentified attackers also exploited a previous vulnerability, CVE-2021-1435, which Cisco patched in 2021, to install the implant once they gained access to the device.

“We also saw devices fully protected against CVE-2021-1435 in which the implant was successfully installed via an as-yet-unknown mechanism,” the researchers said.

In addition to disabling HTTP server functionality, Cisco urged administrators of potentially affected devices to immediately scan their networks for signs of compromise. CISA, the U.S. government’s cybersecurity agency, is also calling on federal agencies to implement mitigation measures by October 20.