Security News > 2023 > October > Hackers update Cisco IOS XE backdoor to hide infected devices
The number of Cisco IOS XE devices detected with a malicious backdoor implant has plummeted from over 50,000 impacted devices to only a few hundred after the attackers updated the backdoor to hide infected systems from scans.
This week, Cisco warned that hackers exploited two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, to hack over 50,000 Cisco IOS XE devices to create privileged user accounts and install a malicious LUA backdoor implant.
On Saturday, multiple cybersecurity organizations reported that the number of Cisco IOS XE devices with a malicious implant has mysteriously dropped from approximately 60,000 devices to only 100-1,200, depending on the different scans.
Update 10/23/23: Today, cybersecurity firm Fox-IT explained that the cause of the sudden drop of detected implants is due to the threat actors rolling out a new version of the backdoor on Cisco IOS XE devices.
Cisco Talos confirmed the change in updated advisories [1, 2], sharing a new curl command that can detect the implant on backdoored Cisco ISO XE devices.
Once the researchers switched to using the new 'Authorization' header, scans showed that there are now 37,890 Cisco ISO XE devices infected with the malicious backdoor implant.
News URL
Related news
- Brave: Sharp increase in installs after iOS DMA update in EU (source)
- Opera sees big jump in EU users on iOS, Android after DMA update (source)
- XZ Utils backdoor update: Which Linux distros are affected and what can you do? (source)
- Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (source)
- Hackers Target Middle East Governments with Evasive "CR4T" Backdoor (source)
- Hackers hijack antivirus updates to drop GuptiMiner malware (source)
- eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners (source)
- ArcaneDoor hackers exploit Cisco zero-days to breach govt networks (source)
- Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) (source)
- State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-25 | CVE-2023-20273 | Unspecified vulnerability in Cisco IOS XE A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. | 7.2 |
| 2023-10-16 | CVE-2023-20198 | Unspecified vulnerability in Cisco IOS XE Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. | 10.0 |