Global Gadgets Gone Rogue: Cisco’s Cooky Hacker Cooking up a Cyber-Storm

The Cisco IOS XE hacker exploits are like a culinary world tour with a dash of mystery. Picture a chef, swapping spatulas for backdoors, seasoning 42,000 devices worldwide with malicious code. A two-pronged attack: fresh vulnerability CVE-2023-20273 and a side of CVE-2021-1435. A recipe for chaos, served with a side of comedic irony.

Hot Take:

Well, well, well, someone’s been busy. A hacker with more time on their hands than they know what to do with has decided to go on a worldwide tour, installing backdoors on Cisco devices like they’re dropping off postcards. And what’s more, they’ve got style – instead of just exploiting a single vulnerability, they’re using a two-pronged attack. It’s like they’re cooking up a five-star hacking dinner while the rest of us are still figuring out how to boil an egg.

Key Points:

  • A sneaky hacker has been busy exploiting the web user interface in Cisco IOS XE, installing malicious backdoors in an estimated 42,000 devices globally.
  • Our mystery guest used a two-pronged attack, exploiting a separate component of the web UI feature and then using that to write an implant into the file system. They even managed to find a second vulnerability to do it with.
  • One of the vulnerabilities, known as CVE-2023-20273, is fresh on the scene, while the other, CVE-2021-1435, is a bit of an old hat and not associated with these attacks.
  • Cisco says if you’re worried about an uninvited guest, you can disable the HTTP feature until they roll out a fix.
  • The hacker first got busy on Sept. 18, but Cisco only noticed something was up on Sept. 28. There was another flurry of activity on Oct. 12, which they think is from the same actor.

Need to know more?

The Hacking World Tour

Our mystery hacker has been spreading their wings, exploiting the web user interface in Cisco IOS XE and installing malicious backdoors in an estimated 42,000 devices worldwide. It's a bit like they're on a world tour, but instead of playing gigs, they're leaving behind a trail of hacked devices.

A Two-Pronged Attack

Now, this isn't your run-of-the-mill hack. Our perpetrator used a two-pronged attack, exploiting a separate part of the web UI feature to get a toehold, then using that to implant a little something into the file system. It's a bit like breaking into a house, then leaving behind a spare key for later.

Vulnerability VIPs

Our hacker didn't just exploit any old vulnerability – they went for a new one, known as CVE-2023-20273. There's also an older vulnerability in the mix, CVE-2021-1435, but it's not involved in these attacks. It's like they're a celebrity chef, only using the freshest ingredients for their hacking recipe.

Locking the Door

Cisco's advice to worried device owners is to disable the HTTP feature until they can get a fix out. It's a bit like telling you to lock your front door while they work on getting a better security system installed.

The Unseen Threat

The hacker first started their spree on Sept. 18, but Cisco didn't pick up on it until Sept. 28. They also noticed a second flurry of activity on Oct. 12. The identity of the hacker is still unknown, like a ghost in the machine, leaving behind a trail of chaos in their wake.
Tags: Cisco IOS XE vulnerability, Cisco Talos, CVE-2021-1435, CVE-2023-20273, HTTP feature, Malicious backdoors, Threat actor identification