Case Study: Detecting Cisco IOS XE Emerging Exploitation

Summary

Key Takeaways

In the dynamic landscape of cyber threats, the need for rapid and precise threat intelligence is paramount. GreyNoise is at the forefront, enhancing our sensor technology to deliver critical insights with unprecedented speed. Here's how our recent advancements are transforming threat detection and analysis:

  • GreyNoise’s new sensor framework uniquely allows us to rapidly respond and collect novel intelligence for emerging threats.
  • With our new capabilities, Low/Medium/High-Interaction Honeypots Personas “appear” real to internet inventory services, allowing us to bait attackers targeting specific technologies. They can also be easily deployed in key IP space used by real businesses, making them attractive targets. The use of a customized low-interaction persona for Cisco IOS XE allowed our team to rapidly (within hours or days) adjust honeypots to capture new techniques.
  • Using GreyNoise, the timeline for responding to actors and identifying novel exploitation techniques for emerging threats is faster, potentially reduced from weeks/months to hours and days, giving defenders a leg up against the adversaries.
  • CISA cites GreyNoise’s work in their post “Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities”
  • https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities
Within 1 day and 30 minutes of development, we were able to deploy a persona that baited attacks for CVE-2023-20198.   Within 2 weeks of just a single sensor deployment, we observed novel exploitation for the CVE and shared intelligence with partners.

Timeline

October 2023

10/16/2023 - Privilege Escalation CVE-2023-20198 Published for Cisco IOS XE
  • We determine that the command injection vulnerability CVE-2021-1435 may be incorrectly attributed to exploitation activity in combination with CVE-2023-20198.
  • We began working with partners to respond to this emerging threat.
10/17/2023 - GreyNoise Developed Low-Interaction Cisco IOS XE Personas
  • We create a Cisco IOS XE persona in about 30 minutes.
  • We strategically deploy the low-interaction persona to a single IP in AWS, knowing that we are correctly presenting as a Cisco IOS XE device.
10/19/2023 - GreyNoise confirms that an un-tracked command injection CVE is involved

10/20/2023 - GreyNoise tag for Privilege Escalation CVE-2023-20198 released

10/23/2023 - GreyNoise collaborates with the community
  • GreyNoise advocates for the successful removal of CVE-2021-1435 from CISA’s KEV.

10/31/2023 - GreyNoise observes novel exploitation of CVE-2023-20198 with our new sensor
  • The observed payload utilizes predicted signature bypass mechanisms, as noted on 10/20



November 2023

11/01/2023 - GreyNoise shares PCAP, intelligence, and analysis with partners
  • Noted that we have observed novel exploitation that uses varying capitalization, _http(s), and double URL-Encoding.
  • Noted that the number of possible payload variations that can result in successful exploitation are massive.
  • Noted that for the performance of network signatures attempting to match all variations, a “behavior-first” signature can be crafted using public documentation.
  • HTTP POST lacking well-defined authentication methods.
  • https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/restapi/restapi/RESTAPIclient.html
  • POST body containing well-defined Cisco XML SOAP schema.
  • Then, perform computationally expensive operations to match indicators for the webui_wsma_http(s) variations.

11/06/2023 - Metasploit published exploitation modules with additional check
11/07/2023 - GreyNoise pushes a Cisco IOS XE persona update to match additional Metasploit checks
  • Persona now shows as vulnerable to the Metasploit module.

Key Takeaways

In the dynamic landscape of cyber threats, the need for rapid and precise threat intelligence is paramount. GreyNoise is at the forefront, enhancing our sensor technology to deliver critical insights with unprecedented speed. Here's how our recent advancements are transforming threat detection and analysis:

  • GreyNoise’s new sensor framework uniquely allows us to rapidly respond and collect novel intelligence for emerging threats.
  • With our new capabilities, Low/Medium/High-Interaction Honeypots Personas “appear” real to internet inventory services, allowing us to bait attackers targeting specific technologies. They can also be easily deployed in key IP space used by real businesses, making them attractive targets. The use of a customized low-interaction persona for Cisco IOS XE allowed our team to rapidly (within hours or days) adjust honeypots to capture new techniques.
  • Using GreyNoise, the timeline for responding to actors and identifying novel exploitation techniques for emerging threats is faster, potentially reduced from weeks/months to hours and days, giving defenders a leg up against the adversaries.
  • CISA cites GreyNoise’s work in their post “Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities”
  • https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities
Within 1 day and 30 minutes of development, we were able to deploy a persona that baited attacks for CVE-2023-20198.   Within 2 weeks of just a single sensor deployment, we observed novel exploitation for the CVE and shared intelligence with partners.

Timeline

October 2023

10/16/2023 - Privilege Escalation CVE-2023-20198 Published for Cisco IOS XE
  • We determine that the command injection vulnerability CVE-2021-1435 may be incorrectly attributed to exploitation activity in combination with CVE-2023-20198.
  • We began working with partners to respond to this emerging threat.
10/17/2023 - GreyNoise Developed Low-Interaction Cisco IOS XE Personas
  • We create a Cisco IOS XE persona in about 30 minutes.
  • We strategically deploy the low-interaction persona to a single IP in AWS, knowing that we are correctly presenting as a Cisco IOS XE device.
10/19/2023 - GreyNoise confirms that an un-tracked command injection CVE is involved

10/20/2023 - GreyNoise tag for Privilege Escalation CVE-2023-20198 released

10/23/2023 - GreyNoise collaborates with the community
  • GreyNoise advocates for the successful removal of CVE-2021-1435 from CISA’s KEV.

10/31/2023 - GreyNoise observes novel exploitation of CVE-2023-20198 with our new sensor
  • The observed payload utilizes predicted signature bypass mechanisms, as noted on 10/20



November 2023

11/01/2023 - GreyNoise shares PCAP, intelligence, and analysis with partners
  • Noted that we have observed novel exploitation that uses varying capitalization, _http(s), and double URL-Encoding.
  • Noted that the number of possible payload variations that can result in successful exploitation are massive.
  • Noted that for the performance of network signatures attempting to match all variations, a “behavior-first” signature can be crafted using public documentation.
  • HTTP POST lacking well-defined authentication methods.
  • https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/restapi/restapi/RESTAPIclient.html
  • POST body containing well-defined Cisco XML SOAP schema.
  • Then, perform computationally expensive operations to match indicators for the webui_wsma_http(s) variations.

11/06/2023 - Metasploit published exploitation modules with additional check
11/07/2023 - GreyNoise pushes a Cisco IOS XE persona update to match additional Metasploit checks
  • Persona now shows as vulnerable to the Metasploit module.

Read the transcript