Backdoor Implant on Hacked Cisco Devices Modified to Evade Detection


The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods.

“Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check,” NCC Group’s Fox-IT team said. “Thus, for a lot of devices, the implant is still active, but now only responds if the correct Authorization HTTP header is set.”

The attacks entail fashioning CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) into an exploit chain that grants the threat actor the ability to gain access to the devices, create a privileged account, and ultimately deploy a Lua-based implant on the devices.

Read more…