Netography Fusion Detects Post-Compromise Behavior from Critical Cisco Zero-Day Vulnerability
Jeff Nathan, Director of Detection Engineering
Background
On Oct. 16, Cisco announced a critical Zero-Day vulnerability in its IOS XE software, with a CVSS score of 10 out of a possible 10. CVE-2023-20198 allows “a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.” Active exploitation of this vulnerability installs a malware implant on affected devices allowing attackers to execute arbitrary commands with full privileges.
Scope of Threat
As of Oct. 18, Censys has found over 41,000 compromised hosts. However, Censys reported yesterday the number of compromised Cisco devices ebbed to 36,541, over 5,000 less than 24 hours prior. Attackers are actively exploiting this vulnerability to gain control of vulnerable physical and virtual devices running Cisco IOS XE whose web-based management interface is exposed on the internet. There is currently no patch for this vulnerability nor a workaround.
Netography Fusion® Detection of Post-Compromise Behavior
To protect customers, the Netography Fusion Network Defense Platform (NDP) now includes new Netography Detection Models (NDMs) that detect the active exploitation behavior of the malware implant and provide high-fidelity visibility of compromised devices.
These NDMs analyze context-enriched metadata to detect the successive exploitation phases of the malware implant. Unlike single-event-based detections, these particular NDMs only trigger after observing follow-on exploitation behavior of the malware implant. Triggering on multiple phases provides a compromise-oriented view of exploitation rather than a one-off event-based view into this vulnerability. This also reduces the chance of false positives.
The Fusion platform is data agnostic, allowing us to develop NDMs that detect malicious activity while not being tied to a given network protocol implementation.
All Fusion deployments were automatically updated by Netography’s detection engineering team. To learn more about Fusion, schedule a time with our experts.