Cisco has shed more light on speculation that has gathered around a sudden drop in the number of hosts known to have been infected with a malware implant delivered through two zero-day vulnerabilities in its IOS XE software platform.
Late last week, scans conducted by threat researchers found many tens of thousands of hosts had been compromised, but over the weekend these numbers fell dramatically.
This prompted much discussion in the security community as to whether or not the unnamed threat actor behind the intrusions was moving to cover their tracks in some way, or whether they had somehow screwed up their operation.
In an update published on Monday 23 October, Cisco’s Talos research unit said it had now observed a second version of the malicious implant – deployed using the first version – which retains most of the same functionality but now includes a preliminary check for an HTTP authorisation header.
“The addition of the header check in the implant by the attackers is likely a reactive measure to prevent identification of compromised systems,” explained the Talos team.
“This header check is primarily used to thwart compromise identification using a previous version of the curl command provided by Talos. Based on the information assessed to date, we believe the addition of the header check in the implant likely resulted in a recent sharp decline in visibility of public-facing infected systems.
“We have updated the curl command listed under our guidance advisory to help enable identification of implant variants employing the HTTP header checks,” they added.
Cisco continues to recommend that IOS XE users immediately implement its previously-published guidance, which still stands, and deploy the fixes outlined in its advisory, which became available on 22 October.
Meanwhile, the UK’s National Cyber Security Centre (NCSC) confirmed on 23 October that it was supporting a number of UK-based organisations known to have been affected, and was continuing to monitor the developing impact of the issues.
The NCSC is recommending following Cisco’s advice, paying particular attention to four priority actions:
- Check for compromise using the detection methods and indicators of compromise (IoCs) from Cisco;
- If affected (and UK-based), report this to the NCSC immediately;
- Disable the HTTP server feature or restrict access to trusted networks on all internet-facing devices;
- Upgrade to the latest version of Cisco IOS XE.
Network devices becoming popular targets
Jamie Brummell, chief technology officer at managed security services provider (MSSP) Socura, said that the targeting of Cisco appliances by malicious actors reflected broader trends and themes in the threat landscape.
“The Cisco zero-day continues the theme of threat actors targeting network appliances as a substitute for end-user devices.They are being forced to find alternatives to computers, smartphones and other employee devices which increasingly have EDR/EPP agents deployed,” he said.
“Network appliances, once exploited, are largely unprotected and their system logs are rarely monitored. They are often publicly accessible and have privileged access to the internal network. Even worse – especially with a router – they can be used to intercept or redirect traffic.
“Targeting a major company, like Cisco, could give attackers access to tens of thousands of endpoints. Good practice is to ensure access is limited to trusted sources, but in this case the exploitable web interface is enabled by default,” he added.