Cisco devices compromised through the exploitation of zero-day flaws in IOS XE software face an escalated threat as the backdoor implant has been subtly altered to evade detection.
Researchers from NCC Group’s Fox-IT team discovered that the threat actor enhanced the implant to respond only when the correct Authorization HTTP header is provided, making it more challenging to identify compromised devices. These attacks leverage CVE-2023-20198 and CVE-2023-20273 to craft an exploit chain, granting the threat actor the capability to infiltrate devices, establish privileged accounts, and deploy Lua-based implants.
In response to these critical vulnerabilities, Cisco initiated the release of security updates to address the issues, with further updates planned for the future. The exact identity of the threat actor remains unknown, though thousands of devices are believed to have been affected.
Recently, the number of compromised devices significantly decreased, sparking speculation that the threat actor made changes to conceal their presence. Cisco acknowledged these changes in its advisories and provided a curl command for users to determine the presence of the implant on their devices.