Edit note, October 24: Added a section regarding updates to include additional Indicators of Compromise (IOCs) and methods for detecting the updated implant code.
In recent days, a previously undisclosed vulnerability in Cisco’s IOS XE software has sent shockwaves across the cybersecurity community. The vulnerability, tagged as CVE-2023-20198, affects physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS Server feature enabled.
Cisco uncovered early indications of potentially malicious activity on September 28, 2023, when unusual behavior was detected on a customer device. Upon delving deeper, a pattern of related activity traced back to as early as September 18 emerged. Initially, an authorized user created a local user account under the username “cisco_tac_admin” from a suspicious IP address. The saga continued into October when another cluster of related activities was discovered. This time, an unauthorized user was spotted creating a local user account named “cisco_support” from a different suspicious IP address. Unlike the September incident, this cluster revealed a more sinister plot, including the deployment of an implant consisting of a configuration file, marking a shift from mere account creation to establishing persistent access via implant deployment.