Cisco Privileged Account Creation Followed by HTTP Command Execution

This threat involves attackers targeting Cisco IOS devices to establish a foothold and execute commands with elevated privileges. The observed technique involves the creation of privileged accounts followed by command execution via HTTP requests. This approach circumvents the need for interactive SSH access, enabling attackers to remotely control the compromised device. This activity has been associated with APT actors. The attacks leverage HTTP GET or POST requests directed towards privileged execution paths, commonly using URLs like /level/15/exec/-/*. This allows attackers to gain the highest privilege level (level 15) on Cisco devices, potentially leading to significant network compromise.

Attack Chain

1. The attacker gains initial access to the network, potentially through vulnerabilities in other network devices or services.
2. The attacker scans the network to identify Cisco IOS devices.
3. The attacker exploits a vulnerability or uses stolen credentials to access the Cisco IOS device.
4. The attacker creates a new privileged account on the Cisco IOS device. This account is typically configured with level 15 privileges.
5. The attacker uses HTTP GET or POST requests to target privileged execution paths, such as /level/15/exec/-/*.
6. These HTTP requests contain commands that the attacker wants to execute on the Cisco IOS device.
7. The Cisco IOS device executes the commands with the privileges of the newly created account.
8. The attacker leverages the compromised Cisco IOS device to further explore the network, exfiltrate data, or disrupt network operations.

Impact

Successful exploitation can lead to full compromise of the Cisco device and potentially the entire network. Attackers can use the compromised device to intercept network traffic, disrupt network services, exfiltrate sensitive data, or pivot to other systems within the network. Due to the high privilege level obtained, attackers can modify device configurations, add new users, or disable security features.

Recommendation

• Enable logging for Cisco IOS devices and forward the logs to a SIEM for analysis (reference: search query).
• Enable and tune the “Cisco IOS Suspicious Privileged Account Creation” and “Cisco Secure Firewall - Privileged Command Execution via HTTP” detections in your security tools and ensure they generate risk events on the same entity field (reference: description).
• Investigate any correlated risk events generated by this analytic, focusing on devices with recent privileged account creation followed by HTTP command execution (reference: search query).
• Restrict HTTP access to Cisco IOS devices and enforce strong authentication for all access methods.
• Regularly review and audit user accounts on Cisco IOS devices to identify and remove any unauthorized accounts.
• Deploy the provided correlation search to detect correlated risk events between privileged account creation and HTTP command execution (reference: search query).