Hackers Change Tactics To Commandeer Cisco Devices

Hackers who were last seen compromising up to 40,000 Cisco devices thanks to a flaw in the company’s IOS XE software, have refined their methods, according to a report in PC Magazine.

San Jose-based Cisco develops and sells networking hardware, software, telecommunications equipment, and other high-tech services and products. It specializes in the Internet of Things, domain security, videoconferencing, and energy management.

The company initially warned that a successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a denial of service condition. The U.S. Cybersecurity and Infrastructure Security Agency released a warning urging companies to install the patches.

The number of hijacked devices plummeted mysteriously around October 22 as Cisco rolled out a patch to address the threat. It was initially assumed that was because the company’s customers were moving swiftly to neutralize the vulnerability. However, according to PC Magazine, evidence is emerging that the hacking group has simply updated its techniques in order to conceal which devices have been hijacked.

They have accomplished this by installing an implant that can receive and execute further commands on the infected hardware. That confounds the patch, which exploited the fact that hijacked devices would respond with an 18-character hexadecimal when receiving a specific HTTP POST.

A cybersecurity vendor, Fox IT found out that the attacker had upgraded the implant to counter the method Cisco employed. According to Cisco, affected customers can download the company’s patch to stamp out the threat. But for now, the patch is only available for users on version 17.9 of IOS XE.