19/10/2023 | Prepared by: Brecht Snijders, Principal Security Consultant
Purpose
The purpose of this alert is to address the recently disclosed CRITICAL risk vulnerability in the Cisco IOS XE software and the associated internet-wide campaign to compromise internet-facing Cisco routers with the Cisco IOS XE web UI feature enabled.
Due to the Common Vulnerability Scoring System (CVSS) score of 10 and the discovery of a Threat Actor (TA) campaign utilising the vulnerability to compromise large amounts of affected devices, the Triskele Labs team advises that all organisations should check for the presence of Indicators of Compromise (IOC) on any devices running the Cisco IOS XE software with the web UI feature enabled.
Details
On October 16th, 2023, Cisco announced that it is aware of active exploitation of a previously unknown vulnerability in the web UI component of the Cisco IOS XE software. The vulnerability allows a remote, unauthenticated attacker to create a new account on the system with privilege level 15 access, resulting in a compromise of the device.
The active exploitation campaign has affected large amounts of internet-facing Cisco routers with the web UI feature enabled, where the TA has deployed a new user account as well as installed an implant with the capability of executing commands on the system.
Detection Capabilities
Organisations can check for the presence of the implant by executing the following command from a system with network access to the Cisco device:
Linux / MacOS
curl -k -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1”
Windows
Invoke-RestMethod -Uri "https://systemip/webui/logoutconfirm.html?logon_hash=1" -Method POST
Invoke-RestMethod -Uri "http://systemip/webui/logoutconfirm.html?logon_hash=1" -Method POST
If this request returns an 18-character hexadecimal string, the implant is present.
To check for the presence of a user account added by the TA, check the system logs for the presence of any of the following log messages where user could be cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator:
- %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line
- %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023
If any of the above log messages contain usernames that are unknown to the network administrator, it is possible it pertains to a username created by the TA.
Mitigation Actions
It is strongly recommended that customers disable the HTTP Server feature on all internet-facing systems.
To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
Triskele Labs DefenceShield customers with Assess (our Vulnerability Scanning service) are being assessed currently.
All customers with our Monitor (our 24x7x365 SIEM) are - as always - being monitored for IOCs and Lateral Movement.
References
References used for the generation of this release:
