Ransomware Attackers Exploit Multiple Cisco Zero-Days


October 23, 2023

World map

Last week Cisco launched an investigation into the active exploitation of a zero-day vulnerability (CVE-2023-20198) in the web UI feature of Cisco IOS XE Software that can allow an attacker to create an account on a vulnerable system with high user privileges.  

While investigating the bug, the Cisco team discovered yet another zero-day (CVE-2023-20273) that can allow an attacker to gain root on the targeted system and execute code.

“The second zero-day, lurking in the web user interface of Cisco’s IOS XE system software, enables attackers to escalate their privileges from this newly created user account to root access. This ‘upgrade’ is the linchpin that allows the implantation of malware, fully compromising the network hardware,” CyberWarzone reports.

“Before this revelation, speculation was rife that the attacks were leveraging an older vulnerability from 2021, known as CVE-2021-1435. This vulnerability had received a patch, but doubts were raised regarding its effectiveness. However, Cisco’s Talos researchers have definitively stated that this 2021 vulnerability is not involved in the current wave of attacks.”

Takeaway: Today’s ransomware attacks employ techniques that are far advanced from the ransomware campaigns of even just a year or two ago.

Attackers are reinvesting ransom proceeds into hiring really talented developers who are constantly finding new ways to infect victims, evade detection, exfiltrate more sensitive data, and encrypt more files faster.

It used to be highly unusual to see ransomware gangs using zero-days in attacks, as these exploits are valuable and usually leveraged in nation-state operations as opposed to cybercriminal attacks.

Unfortunately, we are seeing a steady increase in the number of zero-day vulnerabilities being leveraged by ransomware attackers as they continue to automate scans looking for vulnerable applications to exploit as we saw in the massive Cl0p campaigns targeting the MoveIT and GoAnywhere software bugs earlier this year.

Threat actors are also creating bespoke tools for more efficient collection and exfiltration of victim data and building out their RaaS platform services to smooth the negotiation and ransom payment process.

The increase in the exploitation of zero-day vulnerabilities by ransomware gangs is more than concerning and further evidence that criminal actors are employing increasingly complex techniques that we used to only see in nation-state operations.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.