Cisco IOS XE Exploitation: Honeypot Reveals Attack Details #shorts

Right. So now we come to our four uh main actors for today. Uh that's foret, Citrix and Cisco. Uh in no particular order, but um somehow most of them are uh involved in some way if we are called for an incident. So yeah, let's start off with the KS1. Uh that's Cisco IOS XE and we'll take a short trip back in time uh to late 2023. Some of you might say, okay, that's a bit far off. Um, might be old news, but trust me, that's still very recent news. I will come to that in a few slides. Um, but basically, back in 2023, there were there was one or two, we didn't really know vulnerabilities in Cisco IO XE

devices. And Cisco published this to generally raise a awareness that these issues exist but didn't provide any actual proof or uh indicators of compromise and we suspect that this campaign was highly targeted. Um but after Cisco published this information in general uh the actor switched to a internetwide exploitation campaign to kind of muddy the waters and um that's where we came in because we didn't have any information or indicators what to look for. So what we did is we set up honeypotss um using actual Cisco devices and monitored them for exploitation. Um yeah so as a short introduction um what is Cisco IOS XE? Uh it runs on a lot of devices which equals an enormous

attack surface. We have routers, wireless equipment and switches for example. And the general precondition was that the management interface had to be internet exposed um for the exploit to be thrown over the