Catalin Cimpanu writes:
Over the past three days—since our last newsletter edition—the situation around the latest zero-day attacks targeting Cisco IOS XE devices has drastically changed, and we feel the need to cover it in our featured section and provide a short summary of what has been going on.
Although these attacks have been taking place since at least September 28, news of this campaign came out last Monday, on October 16, when Cisco revealed the existence of a zero-day tracked as CVE-2023-20198 in the web administration panel of its IOS XE operating system.
The zero-day allowed threat actors to create an admin account with the highest level of privileges on devices that had their WebUI panel exposed on the internet.
The investigation that continued throughout last week revealed the presence of a second zero-day that the attackers to use the admin account they created to inject commands into the IOS XE filesystem that would execute with root privileges.
Read more on Catalin’s Risky Biz Newsletter. If you’re not already a subscriber, you’re missing out on a fantastic (and currently still free) resource. Subscribe today.