Critical South African network infrastructure possibly vulnerable to hijacking

At least 1,594 Cisco devices running the company’s IOS XE operating system in South Africa may be affected by a critical security flaw.
Devices running this software could be powering critical Internet and enterprise network infrastructure in South Africa and include enterprise switches, routers, and wireless controllers.
The vulnerability allows an attacker to create an account on affected devices that effectively grants them complete control of these vital pieces of equipment.
There is no patch for the flaw yet. Cisco recommends that customers secure devices by disabling the HTTP Server feature on all Internet-facing systems.
Cisco’s researchers also stated that attackers exploiting the zero-day used a malicious implant, which isn’t persistent and is removed when rebooting the device.
Cisco disclosed the vulnerability, CVE–2023–20198, on Monday.
“We discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco’s Technical Assistance Center (TAC) that identified unusual behaviour on a customer device,” Cisco’s Talos Intelligence stated.
“Upon further investigation, we observed what we have determined to be related activity as early as September 18.”
The security flaw has received the highest Common Vulnerability Scoring System score — 10/critical.
A query on the Internet server search engine Shodan suggests that South Africa’s largest network operators each have hundreds of these potentially vulnerable Cisco devices online.
Bleeping Computer reports that Cisco recently updated its advisory with new attacker IP addresses, usernames, and fresh rules for the Snort open-source network intrusion detection and prevention system.
Based on feedback from security researchers worldwide, over 40,000 Cisco devices have already been exploited.
Orange Cyberdefense’s Community Emergency Response Team discovered over 34,500 exploited devices using the same verification method as Cisco.
Censys reported that the number of compromised devices hit 41,983 on Wednesday, but declined to 36,541 by Thursday.
Security researcher Yutaka Sejiyama found 90,000 devices vulnerable to CVE–2023–20198 listed on Shodan.
MyBroadband contacted the South African operators with the most affected routers listed in Shodan.
Those who haven’t responded are not mentioned by name to avoid unintended negative consequences — although it would be trivial for a hacker to get a list of potentially vulnerable routers.
“MTN is aware of the vulnerability and is working with the OEM to implement the mitigation,” said MTN corporate affairs and sustainability chief Jacqui O’Sullivan.
“It should be noted that the vulnerability only impacts devices that are running software IOS-XE, which is a small proportion of the non-core install base.”
Dimension Data said it was also informed of the cyber-attack affecting Cisco Clients.
“We are working with Cisco to help resolve the issue. Affected Clients will be contacted directly by Cisco,” a spokesperson told MyBroadband.
Seacom assured that its infrastructure is not vulnerable to the attack.
“As an Internet Service Provider, our customers utilise IP addresses assigned by us, which can make it challenging to differentiate a customer’s private device from the SEACOM core network,” a spokesperson told MyBroadband.
“Seacom customers manage their independent networks, but they connect to the Seacom network using IP addresses provided by Seacom.
“These IP addresses may associate a customer’s device with the SEACOM network. It’s important to emphasise that a device on a customer’s private network, even if it uses a SEACOM-assigned IP address, does not introduce vulnerabilities to the Seacom network.
“Seacom wants to reassure our customers that, even though we employ Cisco routers in specific sections of our network, we do not enable HTTP. Therefore, we can confirm that our network is not exposed to vulnerabilities.”
Thanks to Jade for the tip.