Cisco IOS XE Attacks: 7 Biggest Unanswered Questions

It’s among the most widespread cyberattack campaigns of the year, but much remains unknown about the vulnerability, the scope of the impacts and how many attackers are actually involved.

As security teams and IT admins close out a week of grappling with widespread attacks targeting Cisco Systems IOS XE customers, many key details about the situation remain elusive.

And until more information surfaces, experts say it’ll be tough to fully get a handle on the threat, which compromised tens of thousands of devices through exploitation of a critical vulnerability in the popular IOS XE networking software platform.

“In some ways, Cisco has been really amazing about sharing information,” said Caitlin Condon, head of vulnerability research at cybersecurity vendor Rapid7, in an interview.

[Related: Hackers Hit The IT Industry: 12 Companies Targeted In 2023]

For instance: Cisco provided a clear way to check for the presence of the attacker’s malicious implant, also known as a backdoor. And that is “one of the reasons why we understand prevalence as well as we do industry-wide right now,” Condon told CRN.

At the same time, there’s still a lot that’s unknown about the vulnerability, the scope of impacted devices, the motives behind the attacks and much more. “There’s quite a bit that is still either not known or not clear,” Condon said.

Cisco may hold the answers to some of the questions, while for other details it may take some time.

What we do know is that the Cisco IOS XE attacks are on track to be one of the most impactful attacks against IT hardware of the year, perhaps rivaling only the Barracuda Email Security Gateway attacks from mid-2023, Condon said.

With about two more months to go in 2023, “so far, I would say it’s those two,” she said of the Cisco and Barracuda attacks. And notably, both attacks targeted network hardware devices located on the edge of an organization’s IT setup.

CRN has reached out to Cisco for comment.

While examining what is and isn’t known about the IOS XE hacks, it’s worth underscoring an obvious point: Cisco is a huge company with a lot of technology under its roof.

“I think they’re probably running into what any large company runs into, where you don’t want to panic people,” Condon said. “But also, you do want to be transparent about, ‘Hey, there’s a problem here.’”

What follows are the seven biggest unanswered questions about the Cisco IOS XE attacks.

First disclosed Oct. 16 by Cisco as a zero-day vulnerability, the privilege escalation flaw can enable a malicious actor to acquire complete control over a compromised device, the company has said. The vulnerability (tracked as CVE-2023-20198) has been awarded the maximum severity rating, 10.0 out of 10.0.

However, a patch to fix the vulnerability has yet to be made available. In a statement provided to CRN on Oct. 16, the tech giant said it is addressing the critical security issue “as a matter of top priority” and has been “working non-stop to provide a software fix.” An ETA on the patch has not been offered, though.

In one promising sign, researchers at cybersecurity firm Censys said Thursday that it appears the number of infected devices has peaked — at roughly 42,000— and the number of compromised devices is now declining as administrators take recommended measures.

“More than 5,400 Cisco XE devices have either removed their web interface from the internet, been taken offline, or had their configurations reset,” the researchers wrote. “However, Censys has identified 36,541 devices that remain online and compromised.”

Cisco has said that an access restriction measure it has shared is effective at stopping exploits of the vulnerability in IOS XE.

The company has “high confidence” that “access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation,” Cisco said in an update to its advisory Oct. 17.

“I think a lot of people in these types of situations typically do want to be able to test for themselves: ‘Are the mitigation steps truly, completely effective?’” Condon said.

Security researchers would like to be able to check for additional attack vectors or potentially a modified attack chain that could still be effective, she said.

In other words, “are there other ways in?” Condon said. “I’m sure Cisco is doing their best. It seems like they’re trying to be transparent about this as quickly as they can. But if there were more information, we would be able to assess that.” And that would help with providing more information to defenders who are looking for guidance, she said.

Cyber defense teams are ultimately seeking “100 percent confirmation that we know what this is, we know how you mitigate it — and yes, we can confirm that [the mitigation] works,” Condon said. “That’s what they want to hear.”

Cisco has not provided the list of devices affected, meaning that any switch, router or WLC (Wireless LAN Controller) that’s running IOS XE and has the web user interface (UI) exposed to the internet is vulnerable, according to Mayuresh Dani, manager of threat research at cybersecurity firm Qualys.

That is a lengthy list, however. And so far, it’s not a list that actually has been released by Cisco.

Along with widely used enterprise switches in the Cisco Catalyst 9000 line, IOS XE also is used to run numerous other types of devices, many of which often run in edge environments that tend to get less attention than data center equipment. Those include branch routers, industrial routers and aggregation routers, as well as Catalyst 9100 access points and “IoT-ready” Catalyst 9800 wireless controllers.

But since there’s no comprehensive list of everything that runs IOS XE, many organizations are unclear on how, or even whether, they are impacted.

All in all, “it would be really helpful to have a list,” Condon said. “We can look at the datasheet and see these 20 things [that run IOS XE], but is that it? We don’t know.”

From what Cisco has disclosed so far, there’s not much that is known about the vulnerability itself, according to Condon.

For instance, “what exactly is the root cause? What does the attack chain look like?” she said. “The way they’ve described it is a little bit vague, which isn’t throwing shade at them. It just seems like maybe there’s still quite a bit about the exact attack chain that is not known. And that’s concerning.”

As one example, Cisco was upfront about the fact that there’s an additional mechanism involved in the attacks that they don’t fully understand yet. Cisco’s Talos threat intelligence team wrote in a post that a threat actor has been observed exploiting a previously patched vulnerability from 2021 (tracked at CVE-2021-1435) as part of installing a backdoor.

“We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as of yet undetermined mechanism,” the Talos blog said.

In other words, there’s some ambiguity in the attack chain that still needs to be cleared up.

For Condon, that raises questions such as, do you need both vulnerabilities? Or is one sufficient? “It sounds to me like they’re trying to be upfront about the fact that this is still an active investigation, and there’s stuff they don’t know.”

As part of the IOS XE attacks, the implants installed by threat actors do not have what’s known as “persistence” on a device, meaning that it’s eliminated when a device is rebooted.

However, the accounts created by attackers are not removed, raising the question of whether they may continue to have administrator access even after a reboot.

And because the full attack chain is still unknown, a big question is whether a device can easily be re-compromised, Condon said. “Can it be re-implanted?”

In the intrusion investigated by Rapid7 researchers, the team has identified some variation in the techniques used, Condon noted. Additionally, the researchers also determined that in a few cases, a customer environment was exploited multiple times in the same day. The findings were disclosed in a post from Condon on the Rapid7 blog earlier this week.

“We can’t say for sure that this might be more than one threat actor, but that’s something that’s on our mind,” she told CRN. “It’s possible.”

There’s been no attribution for the attacks so far and little evidence about what the threat actor, or threat actors, are trying to accomplish.

“I’m sure that eventually, whether it takes weeks or longer, we’re going to have a better understanding of, here’s what the full attack chain was and here’s the threat actor or actors this was attributed to. And here’s what we think they were after,” Condon said. “I’m sure we’re going to see country names in some of these articles.”

In all likelihood, “we’re going to learn that this is a skilled attacker who had orchestrated this action, whether it’s one attacker or multiple who were using similar techniques,” she said.

However, Condon noted, “at this point we don’t even know what what the full attack chain looks like. And there’s no patch. The message, I think, to administrators of these devices is, get them off the internet, reboot and then look for indicators of compromise.”

Twinsies! How Digital Twin Technology Is Rebooting the Automotive World