A critical zero-day vulnerability in the web user interface of Cisco IOS XE software is under active exploitation, the company disclosed Monday.
Cisco warned that the vulnerability gives remote, unauthenticated attackers the ability to create accounts on an affected system, allowing the hacker to gain control over the system with a privilege level 15 access, which means full access to all commands.
The company said the vulnerability affects Cisco IOS XE software if the web UI feature is enabled. There is no current patch or existing workaround, so Cisco is urging customers to disable the HTTP Server feature on internet-facing systems.
“This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks and perform any number of man in the middle attacks,” Jacob Baines, CTO and lead researcher at VulnCheck, said in a blog post.
Scott Caveza, staff research engineer at Tenable, said an attacker with such a high level of access could modify network routing rules and open ports to access controlled servers and steal data.
The threat actor appears to have some extensive knowledge of Cisco IOS XE based on the threat activity involving both vulnerabilities, according to Caveza.
“It would appear this threat actor is well versed with Cisco IOS XE software and has tested this to verify that their attack chain works before deploying it against a target,” Caveza said.
Researchers from VulnCheck said they found thousands of implanted hosts after scanning the internet.
Researchers at Cisco Talos said they initially noticed potentially malicious activity on Sept. 28, when a case was opened at Cisco’s technical assistance center and suspicious activity was seen on a customer’s device, according to a Monday blog post.
After additional investigation, related activity was traced back to Sept. 18, when an authorized user created a local user account under the name "cisco_tac_admin" from a suspicious IP address, the researchers said.
By Oct. 12, Cisco Talos found an additional cluster of suspicious activity when an unauthorized user created an account under the name “cisco_support” from a different suspicious IP address, according to the blog.
As part of the October activity, an implant, which included a configuration file, was deployed. The implant is based on the Lua programming language and has 29 lines of code, which help facilitate execution of arbitrary commands, the researchers said.
The hacker exploited an old vulnerability, CVE-2021-1435, to install the implant after gaining access to the device. This vulnerability allows an attacker to inject arbitrary commands that can be executed as a root user.
The implant was installed by unknown mechanism on devices that were fully patched against CVE-2021-1435, Cisco Talos said.