Unidentified attackers breach tens of thousands of Cisco devices | CyberScoop<\/title> <meta name=\"description\" content=\"Attackers are actively exploiting vulnerable Cisco software to primarily target telecommunications companies, researchers say.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisco-devices-breach-ios-xe\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Unidentified attackers breach tens of thousands of Cisco devices\"> <meta property=\"og:description\" content=\"Attackers are actively exploiting vulnerable Cisco software to primarily target telecommunications companies, researchers say.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisco-devices-breach-ios-xe\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-10-18T15:34:12+00:00\"> <meta property=\"article:modified_time\" content=\"2023-10-18T19:21:13+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1697500969g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1693499496g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1696959155g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/77657\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.3.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=77657\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisco-devices-breach-ios-xe%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisco-devices-breach-ios-xe%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-77657 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisco-devices-breach-ios-xe\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.789915966387\">\n<div class=\"single-article__header-content\" readability=\"31.624454148472\">\n<p> Attackers are actively exploiting vulnerable Cisco software to primarily target telecommunications companies, researchers say. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> The Cisco Systems logo is displayed at the Mobile World Congress (MWC) in Barcelona on February 25, 2019. (GABRIEL BOUYS \/ AFP) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"49.106064181218\"><body readability=\"98.728582071021\"><\/p>\n<p>Tens of thousands of physical and virtual devices running Cisco networking software have been compromised as the result of a yet-unpatched vulnerability, according to multiple independent researchers. <\/p>\n<p>Cisco <a href=\"https:\/\/blog.talosintelligence.com\/active-exploitation-of-cisco-ios-xe-software\/\">issued a security advisory Monday<\/a> warning of \u201cactive exploitation\u201d of its IOS XE software but did not share details on the scale of the issue. Successful exploitation of the vulnerability would grant an attacker \u201cfull control of the compromised device\u201d and allow \u201cpossible subsequent unauthorized activity,\u201d the Cisco\u2019s Talos threat intelligence group said in the alert.<\/p>\n<p>The previously unknown vulnerability has been designated <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-20198\">CVE-2023-20198<\/a>.<\/p>\n<p>By Tuesday, using indicators shared by Talos, researchers began to quantify the scale of compromised devices. <a href=\"https:\/\/vulncheck.com\/blog\/cisco-implants\">Jacob Baines, the chief technical officer with VulnCheck, wrote<\/a> that Cisco\u2019s blog post \u201cburied the lede by not mentioning <em>thousands <\/em>of internet-facing IOS XE web interfaces have been implanted.\u201d <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Later in the day, <a href=\"https:\/\/censys.com\/cve-2023-20198-cisco-ios-xe-zeroday\/\">researchers with Censys reported observing 34,140 devices<\/a> \u201cthat appear to have the backdoor installed.\u201d Censys\u2019 data pointed to tens of thousands of compromised devices around the world, the majority of which are in the U.S.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" width=\"640\" height=\"527\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices.png?resize=640%2C527&ssl=1\" alt class=\"wp-image-77658\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-1.png 1202w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-1.png?resize=300,247 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-1.png?resize=768,633 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-1.png?resize=1024,843 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-1.png?resize=600,494 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-1.png?resize=204,168 204w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-1.png?resize=409,337 409w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-1.png?resize=820,675 820w\" sizes=\"(max-width: 1202px) 100vw, 1202px\"><figcaption class=\"wp-element-caption\">The number of compromised Cisco devices as a result of CVE-2023-20198 (Censys).<\/figcaption><\/figure>\n<p>An analysis of the autonomous systems associated with the device IP addresses, which offers indications of the types of organizations involved, suggests \u201cthey predominantly represent telecommunications companies offering internet services to both households and businesses,\u201d the Censys researchers reported.<\/p>\n<p>A Cisco spokesperson told CyberScoop late Tuesday that the company is \u201cworking non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory.\u201d <\/p>\n<p>Cisco became aware of the issue on Sept. 28, when it was reported to the company\u2019s Technical Assistance Center, according to the Talos blog. An analysis showed that \u201crelated activity\u201d began as early as September 18. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>It\u2019s not clear who is behind the compromises, but they \u201cwere likely carried out by the same actor,\u201d the Talos blog read. <\/p>\n<p>The attackers leveraged a previous vulnerability, CVE-2021-1435, which Cisco patched in 2021, to install the implant after gaining access to the device, according to Talos. \u201cWe have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as of yet undetermined mechanism.\u201d<\/p>\n<p>U.S. government and cybersecurity industry officials have in recent months warned that advanced hacking groups are increasingly targeting so-called edge computing devices, like routers and firewalls. Targeting edge devices allows attackers of all kinds to gain access on systems that defenders have limited visibility into, Francisco Donoso, the chief technical officer of the cybersecurity firm Lodestone, told CyberScoop in an online chat Wednesday.<\/p>\n<p>The vulnerable Cisco IOE XE firmware is used across a \u201cfairly broad range of Cisco products including enterprise switches, wireless controllers, access points, industrial routers, virtual appliances, and other Cisco networking solutions,\u201d Donoso said. <\/p>\n<p>There is no easy way to validate the integrity of such devices, and most organizations likely don\u2019t know their devices are internet-exposed, he added. And while the implant currently does not seem to survive a reboot, \u201cthese systems, particularly in telecom, remain online for significant amounts of time (sometimes years),\u201d he said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Now that this campaign has been exposed, attackers could potentially be mass spraying the exploit and implant in an attempt to gain initial access to as many organizations as possible and \u201cwill then triage which orgs are of value for further attack activity once the implant is deployed as widely as possible,\u201d Donoso added.<\/p>\n<p><strong><em>Updated, Oct. 18, 2023: <\/em><\/strong><em>This article has been updated with additional comment from Francisco Donoso. <\/em><strong><em> <\/em><\/strong><\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.2857142857143\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisco-devices-breach-ios-xe\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unidentified attackers breach tens of thousands of Cisco devices |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1084,1085,1086,288],"tags":[1087,1088,1089,294],"class_list":["post-1894","post","type-post","status-publish","format-standard","hentry","category-cisco-ios-xe","category-exploits","category-networking","category-threats","tag-cisco-ios-xe","tag-exploits","tag-networking","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisco-ios-xe\/\" rel=\"category tag\">Cisco IOS XE<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/exploits\/\" rel=\"category tag\">exploits<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/networking\/\" rel=\"category tag\">networking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1894"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1894\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":1894,"date":"2023-10-18T15:34:12","date_gmt":"2023-10-18T15:34:12","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=77657"},"modified":"2023-10-18T15:34:12","modified_gmt":"2023-10-18T15:34:12","slug":"unidentified-attackers-breach-tens-of-thousands-of-cisco-devices","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/10\/18\/unidentified-attackers-breach-tens-of-thousands-of-cisco-devices\/","title":{"rendered":"Unidentified attackers breach tens of thousands of Cisco devices"},"content":{"rendered":"