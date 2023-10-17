Cisco has warned of a Serious security flaw not fixed which is affecting IOS XE software and is actively exploited in the online environment.

What is this problem detected by CISCO

Rooted in the web interface function, this zero-day vulnerability is identified as CVE-2023-20198 And received the highest severity rating of 10.0 in the CVSS scoring system.

It is important to highlight that this vulnerability concerns only company network equipment that have the web interface option enabled and that are exposed to the Internet or untrusted networks.

“This vulnerability allows an unauthenticated, remote attacker to create an account on an affected system with level 15 access,” has declared Cisco in a notice published this Monday and the company added “The attacker can then use that account to gain control of the affected system.”

The problem concerns both physical and virtual devices that run the software Cisco IOS XE and have the HTTP or HTTPS server option enabled. As a mitigation measure, it is recommended to disable the HTTP server function on systems exposed to the Internet.

The major networking equipment maker said it had discovered the problem after detecting malicious activity on an unidentified customer’s device as early as September 18, 2023, in which an authorized user created a local user account with the name “cisco_tac_admin” from a suspicious IP address. The unusual activity ended on October 1, 2023.

In a second group of related assets detected on October 12, 2023, an unauthorized user created a local user account with the name “cisco_support” from a different IP address.

It is believed that this was followed by a series of actions that led to the installation of a Lua-based implant that allows an attacker to execute commands with malicious code inside at system level or at IOS level.

The installation of the system is achieved by exploiting CVE-2021-1435a now fixed flaw affecting the web interface of Cisco IOS as well as a yet-to-be-determined mechanism in cases where the system is fully updated from CVE-2021-1435.

“for the system to become active, the web server needs to be restarted; in at least one observed case, the server was not rebooted, so the implant never became active despite having been installed” has declared Cisco.

The backdoor, saved in the “/usr/binos/conf/nginx-conf/cisco_service.conf” directory, it is not persistentwhich means that will not survive a device reboot; However, it must be said that the fraudulent privileged accounts created remain active.

Cisco attributed the two sets of activities presumably to the same attacker (or group of attackers)although the exact origins of this individual (or these individuals) are currently uncertain.

“The first group of activities it could represent the attacker’s initial attempt and test of their codewhile the activity of October seems to indicate that the author [dell’attacco hacking che sfrutta la falla] is expanding its operations to include persistent access across the implant installation” the company said.

This development prompted the United States Cybersecurity and Infrastructure Security Agency (CISA) to issue a I notify and ad add the flaw in the catalog of Known Exploited Vulnerabilities (also called KEVKnown Exploited Vunlerabilities in English).

In April 2023, the UK and US cybersecurity and intelligence agencies they warned of campaigns sponsored by those targeting global infrastructure of network.

Cisco ultimately concluded that routing/switching devices are a “perfect target for an attacker who wants to stay hidden and have access to important intelligence facultiesas well as a catch in a targeted network.”