EclecticIQ

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Cisco IOS XE Web UI Privilege Escalation Vulnerability; Sandworm Targets Ukrainian Telecom

This issue of the Analyst Prompt addresses a Cisco IOS XE Web UI privilege escalation vulnerability, cyberattacks from Sandworm threat actor targeting Ukrainian telecom industry and exploitation details about an unpatched WS_FTP Servers for ransomware delivery.

Arda Büyükkaya October 25, 2023

tap 20 - 2023

Cisco IOS XE Software Web UI Privilege Escalation Vulnerability Exploited in the Wild  

On October 16, 2023, Cisco warned of a critical severity (base score 10) privilege escalation vulnerability tracked as CVE-2023-20198 in IOS XE software [1]. Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting full control of the compromised device and allowing unauthorized activity. 

Since there is no workaround or patch available at the time of reporting, threat actors will very likely increasingly use CVE-2023-20198 exploits to obtain initial access from victim networks.  

According to OSINT data source from Shodan, there are more than 143,000 publicly exposed Cisco IOS web servers possibly vulnerable to CVE-2023-20198. Sources from Shadowserver [2] suggest that over 32,000 Cisco IOS XE IPs are compromised with implants based on the check published by Cisco [3]. 

CERT Orange discovered 34.5 thousand Cisco IOS XE IPs devices with malicious implants [4], and released a Python script to check for existence of the malicious implant on a running Cisco IOS XE network device [5]. 

TAP 20 - Shodan Report Screenshot

Figure 1 – OSINT data from Shodan showing publicly exposed
Cisco IOS XE (click on image to open in separate tab).
 

Sandworm Threat Actor Targeted Ukrainian Telecom Industry       

Ukraine's Computer Emergency Response Team (CERT-UA) reported a Russian state APT group known as Sandworm (also referred to as BlackEnergy, UAC-0082, Iron Viking, Voodoo Bear, and TeleBots) has targeted eleven Ukrainian internet and telecom providers since May [6]. 

The Sandworm threat actors employed various malware, including Poemgate and Poseidon, to steal credentials and control infected devices. Threat actors also used Whitecat - a custom malware - to erase any forensic evidence. The CERT-UA report indicated that the threat actor infiltrated the victims' networks using compromised VPN accounts that lacked multi-factor authentication (MFA) to cause service interruptions. 

This attack shows the importance of multi-factor authentication (MFA) for VPN account security. Compromised VPN accounts are used by wide spectrum of threat actors to get initial access from victim network.
 

Unpatched WS_FTP Servers Exploited for Ransomware Delivery  

On September 27, Progress Software released security updates to address a critical WS_FTP Server vulnerability, urging admins to upgrade vulnerable instances [7]. The vulnerability tracked as CVE-2023-40044 is caused by a .NET deserialization vulnerability in the Ad Hoc Transfer Module, enabling unauthenticated attackers to execute commands via HTTP requests remotely [8]. Researchers from Assetnote security who first discovered the WS_FTP bug, released proof-of-concept (PoC) exploit code just days after it was patched, which makes it easier to perform mass exploitation WS_FTP Servers [9]. 

EclecticIQ analysts assess with moderate confidence that the existence of a proof-of-concept will enable threat actors to perform exploitation more easily. It is almost certain that threat actors will attempt to exploit the vulnerability to obtain a foothold into an organization's networks. 

According to Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group performed mass exploitation of CVE-2023-40044 to deploy Lockbit 3.0 ransomware [10]. After the initial access, the threat actors attempted to escalate privileges using the open-source GodPotato tool, which allows privilege escalation to 'NT AUTHORITY\SYSTEM' across Windows client (Windows 8 to Windows 11) and server (Windows Server 2012 to Windows Server 2022) platforms [11].
   

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

You might also be interested in:

Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia

Ransomware and DDoS Feature in The Apex of Crime-as-a-Service Report

Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang

Appendix

[1] “NVD - CVE-2023-20198.” Accessed: Oct. 17, 2023. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-20198  

[2] Shadowserver [@Shadowserver], “Cisco CVE-2023-20198 exploitation activity: We see over 32.8K Cisco IOS XE IPs compromised with implants based on the check published by Cisco in https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ IP data on implants shared out daily in: https://shadowserver.org/what-we-do/network-reporting/compromised-website-report/ tagged ‘device-implant’. https://t.co/iJUNHAOTje,” Twitter. Accessed: Oct. 18, 2023. [Online]. Available: https://twitter.com/Shadowserver/status/1714483336876355873  

[3] “Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability,” Cisco Talos Blog. Accessed: Oct. 18, 2023. [Online]. Available: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/  

[4] “CERT Orange Cyberdefense on X,” X (formerly Twitter). Accessed: Oct. 20, 2023. [Online]. Available: https://twitter.com/CERTCyberdef/status/1714567941184749609  

[5] C. O. CyberDefense, “CVE-2023-20198.” Oct. 20, 2023. Accessed: Oct. 20, 2023. [Online]. Available: https://github.com/cert-orangecyberdefense/Cisco_CVE-2023-20198 

[6] “CERT-UA,” cert.gov.ua. Accessed: Oct. 18, 2023. [Online]. Available: https://cert.gov.ua/  

[7] “WS_FTP Server Critical Vulnerability - (September 2023) - Progress Community.” Accessed: Oct. 18, 2023. [Online]. Available: https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023  

[8] “CVE-2023-40044,” AttackerKB. Accessed: Oct. 18, 2023. [Online]. Available: https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044  

[9] “RCE in Progress WS_FTP Ad Hoc via IIS HTTP Modules (CVE-2023-40044).” Accessed: Oct. 19, 2023. [Online]. Available: https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044  

[10] S. (@SophosXOps@infosec. exchange) X-Ops, “The ransomware actors didn’t wait long to abuse the recently reported vulnerability in WS_FTP Server software. Even though Progress Software…,” Mastodon. Accessed: Oct. 18, 2023. [Online]. Available: https://infosec.exchange/@SophosXOps/111222943608438109   

[11] beichen, “GodPotato.” Oct. 18, 2023. Accessed: Oct. 18, 2023. [Online]. Available: https://github.com/BeichenDream/GodPotato 

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2024 EclecticIQ B.V.
EclecticIQ. Intelligence, Automation, Collaboration.
Get demo