On Monday, Cisco reported that a critical zero-day vulnerability in devices running IOS XE software was being exploited by an unknown threat actor who was using it to backdoor vulnerable networks. Company researchers described the infections as a "cluster of activity."
On Tuesday, researchers from security firm VulnCheck said that at last count, that cluster comprised more than 10,000 switches, routers, and other Cisco devices. All of them, VulnCheck said, have been infected by an implant that allows the threat actor to remotely execute commands that run at the deepest regions of hacked devices, specifically the system or iOS levels.
"Cisco buried the lede by not mentioning thousands of Internet-facing IOS XE systems have been implanted," VulnCheck CTO Jacob Baines wrote. "VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks."