In October 2023, Cisco revealed a severe vulnerability, CVE-2023-20198, affecting the Web User Interface of Cisco IOS XE software. Critical due to its potential impact, this flaw poses a significant risk to devices with the HTTP/S Server feature enabled, allowing attackers to create high-privilege user accounts.
The exploitation of CVE-2023-20198 began in September 2023, with adversaries notably creating user accounts under suspicious names like "cisco_tac_admin" and "cisco_support". These activities were traced to specific IP addresses, indicating targeted attacks. Furthermore, Cisco Talos uncovered an implant, deployed via “cisco_service.conf”, capable of executing arbitrary commands.
The vulnerability, classified as critical (CVSS score of 10), endangers both physical and virtual devices using Cisco IOS XE. The implant, written in Lua, allows attackers to execute commands at a high privilege level, though it is non-persistent and removed upon reboot. However, the created user accounts remain active, presenting an ongoing threat. The implant's analysis revealed its capability for extensive control over compromised devices.
In light of CVE-2023-20198's severity, Cisco urgently advises disabling the HTTP/S Server feature on affected systems. Vigilance is key - monitoring for unauthorized user accounts and unusual system activity is crucial for early detection and response. For those looking to deepen their defensive strategies, Cyborg Security's HUNTER Platform offers invaluable resources. Our free hunt packages, tailored to combat threats like CVE-2023-20198, provide actionable insights for enhanced security. Don’t have a HUNTER Community account yet?
Sign up for free today here and fortify your defenses against sophisticated cyber threats.
GET THE FREE HUNT PACKAGES!
CHECK OUT OTHER EMERGING THREATS >
Intel 471 discovered a new Android trojan, FvncBot, that masquerades as a security application for mBank, a major Polish bank. Our Malware Intelligence team analyzed its code, which is new and not based on other leaked malware code.
Lynx Ransomware is rapidly expanding, targeting organizations across North America and Europe with data theft and double extortion, backed by a growing network of skilled affiliates.
Threat actors are increasingly using methods to circumvent multifactor authentication, which poses a risk of account takeover. Here’s a briefing on some types of attacks and defenses to put in place.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.