A hacking group that’s been exploiting a software vulnerability to hijack tens of thousands of Cisco devices seems to have changed tactics to avoid detection.
The hackers were last spotted compromising up to 40,000 Cisco devices, thanks to a flaw in the company’s IOS XE software, which is used in routers, switches, and wireless controllers. Then, the number of hijacked devices began to plummet mysteriously this past weekend right as Cisco rolled out a patch to address the threat.
The falling infection numbers initially suggested that Cisco customers were moving fast to clamp down on the vulnerability. But now evidence is emerging that the hacking group has merely updated its techniques to better conceal which Cisco devices have been hijacked.
To compromise the affected devices, the hackers have been installing an implant, which can receive and execute further commands on the infected hardware. Cisco originally found that hijacked devices would respond with an 18-character hexadecimal when receiving a specific HTTP POST, giving companies an easy way to scan for a potential compromise.
But now the cybersecurity vendor Fox IT reports: “The threat actor has upgraded the implant to do an extra header check. Thus, for a lot of devices, the implant is still active, but now only responds if the correct authorization HTTP header is set.” The change has eliminated the original way that companies could identify a hijacked device.
“This explains the much discussed plummet of identified compromised systems in recent days,” Fox IT added. The good news is that Fox IT says it found an additional way to detect the hacker’s implant, which the company has uploaded on a GitHub page. “Using a different fingerprinting method, Fox-IT
Read more on pcmag.com