Backdoor Implanted on Hacked Cisco Devices Modified to Evade Detection
Oct 24, 2023
Cyber Threat / Vulnerability
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said . "Thus, for a lot of devices, the implant is still active, but now only responds if the correct Authorization HTTP header is set." The attacks entail fashioning CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) into an exploit chain that grants the threat actor the ability to gain access to the devices, create a privileged account, and ultimately deploy a Lua-based implant on the devices. The development comes as Cisco began rolling out security updates to address the issues , with more updates to come at an as-yet-undisclosed date. The exact identity of the threat