Is It On or Off? Cisco IOS XE Devices Hacked in Widespread Attacks

Cyber Security Threat Summary:
Amid the COVID-19 pandemic, as remote work became a necessity, IT teams had to rapidly implement protocols and software suites to maintain business continuity and efficiency. This involved enabling routing configurations and adjusting inbound and outbound policies on appliances that previously didn't support remote connections. This allowed networking appliances and software packages to be accessed and configured on-the-fly, enabling staff to access the necessary resources for their work from locations outside the traditional office spaces.

Since COVID-19, some staff have returned to the corporate office, while others continue to work from home. Additionally, some organizations have adopted a hybrid work model. Despite the changes in our working environment, the underlying protocols and configurations that enable and facilitate these work arrangements have remained relatively consistent.

Security Officer Comments:
Nonetheless, it's probable that many organizations might still retain risky configurations that are either unnecessary or overdue for review to ensure compliance with standard cybersecurity practices. In recent developments, assailants have exploited a recently revealed critical zero-day vulnerability (CVE-2023-20198) to infiltrate and contaminate thousands of Cisco IOS XE devices with malicious implants. These assaults specifically targeted Cisco IOS XE routers and switches with the Web User Interface (Web UI) feature activated, coupled with the HTTP or HTTPS Server features enabled.

Suggested Correction(s):
The report identifies several thousand devices exposed to the internet, but this number could be higher due to Cisco's global prevalence. It's essential for organizations to review networking policies and stay proactive in securing their systems when facing zero-day vulnerabilities. They should explore alternative methods for protecting mission-critical appliances instead of internet exposure. Cisco advises immediate actions, including disabling web interfaces and removing management from the internet, as a patch is pending.