{"id":985463,"date":"2023-10-24T18:58:08","date_gmt":"2023-10-24T20:58:08","guid":{"rendered":"https:\/\/teknomers.com\/fr\/implantation-de-porte-derobee-sur-des-appareils-cisco-pirates-modifies-pour-echapper-a-la-detection\/"},"modified":"2023-10-24T18:58:12","modified_gmt":"2023-10-24T20:58:12","slug":"implantation-de-porte-derobee-sur-des-appareils-cisco-pirates-modifies-pour-echapper-a-la-detection","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/implantation-de-porte-derobee-sur-des-appareils-cisco-pirates-modifies-pour-echapper-a-la-detection\/","title":{"rendered":"Implantation de porte d\u00e9rob\u00e9e sur des appareils Cisco pirat\u00e9s modifi\u00e9s pour \u00e9chapper \u00e0 la d\u00e9tection"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">24 octobre 2023<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">R\u00e9daction<\/span><\/span><span class=\"p-tags\">Cybermenace\/vuln\u00e9rabilit\u00e9<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/10\/Implantation-de-porte-derobee-sur-des-appareils-Cisco-pirates-modifies.jpg\" style=\"clear: left; display: block; float: left; text-align: center;\"><\/a><\/div>\n<p>La porte d\u00e9rob\u00e9e implant\u00e9e sur les appareils Cisco en exploitant deux failles zero-day dans le logiciel IOS XE a \u00e9t\u00e9 modifi\u00e9e par l&#8217;acteur malveillant afin d&#8217;\u00e9chapper \u00e0 la visibilit\u00e9 via les m\u00e9thodes d&#8217;empreintes digitales pr\u00e9c\u00e9dentes.<\/p>\n<p>&#8220;L&#8217;enqu\u00eate sur le trafic r\u00e9seau vers un appareil compromis a montr\u00e9 que l&#8217;acteur malveillant a mis \u00e0 niveau l&#8217;implant pour effectuer une v\u00e9rification d&#8217;en-t\u00eate suppl\u00e9mentaire&#8221;, a d\u00e9clar\u00e9 l&#8217;\u00e9quipe Fox-IT du groupe NCC. <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/fox-it\/cisco-ios-xe-implant-detection\" target=\"_blank\">dit<\/a>.  &#8220;Ainsi, pour de nombreux appareils, l&#8217;implant est toujours actif, mais ne r\u00e9pond d\u00e9sormais que si l&#8217;en-t\u00eate HTTP d&#8217;autorisation correct est d\u00e9fini.&#8221;<\/p>\n<p>Les attaques consistent \u00e0 transformer CVE-2023-20198 (score CVSS : 10,0) et CVE-2023-20273 (score CVSS : 7,2) en une cha\u00eene d&#8217;exploitation qui donne \u00e0 l&#8217;acteur malveillant la possibilit\u00e9 d&#8217;acc\u00e9der aux appareils, de cr\u00e9er un compte privil\u00e9gi\u00e9, et finalement d\u00e9ployer un implant bas\u00e9 sur Lua sur les appareils.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/moon-i-2.1\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/10\/Les-Bing-Chat-Ads-de-Microsoft-alimentees-par-lIA-peuvent.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Ce d\u00e9veloppement intervient alors que Cisco a commenc\u00e9 \u00e0 d\u00e9ployer des mises \u00e0 jour de s\u00e9curit\u00e9 pour <a rel=\"nofollow noopener\" href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2023\/10\/23\/cisa-updates-guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities\" target=\"_blank\">aborder les probl\u00e8mes<\/a>avec d&#8217;autres mises \u00e0 jour \u00e0 venir \u00e0 une date encore inconnue.<\/p>\n<p>L&#8217;identit\u00e9 exacte de l&#8217;auteur de la menace \u00e0 l&#8217;origine de la campagne n&#8217;est actuellement pas connue, bien que le nombre d&#8217;appareils concern\u00e9s soit estim\u00e9 \u00e0 plusieurs milliers, sur la base des donn\u00e9es partag\u00e9es par VulnCheck et la soci\u00e9t\u00e9 de gestion de surface d&#8217;attaque Censys.<\/p>\n<p>&#8220;Les infections ressemblent \u00e0 des piratages massifs&#8221;, a d\u00e9clar\u00e9 Mark Ellzey, chercheur principal en s\u00e9curit\u00e9 chez Censys, \u00e0 The Hacker News.  &#8220;Il y aura peut-\u00eatre un moment o\u00f9 les pirates examineront ce qu&#8217;ils ont et d\u00e9termineront si quelque chose vaut quelque chose.&#8221;<\/p>\n<p>Cependant, le nombre d&#8217;appareils compromis <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/onyphe\/status\/1715633541264900217\" target=\"_blank\">s&#8217;est effondr\u00e9<\/a> <a rel=\"nofollow noopener\" href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/time-series\/?date_range=7&amp;source=compromised_website&amp;source=compromised_website6&amp;tag=device-implant%2B&amp;group_by=geo&amp;style=stacked\" target=\"_blank\">ces derniers jours<\/a>passant d&#8217;environ 40 000 \u00e0 quelques centaines, ce qui laisse supposer qu&#8217;il pourrait y avoir eu quelques <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/CERTCyberdef\/status\/1715787627800969374\" target=\"_blank\">changements sous le capot<\/a> pour cacher sa pr\u00e9sence.<\/p>\n<p>Les derni\u00e8res modifications de l&#8217;implant d\u00e9couvertes par Fox-IT expliquent la raison de cette baisse soudaine et spectaculaire, car il a \u00e9t\u00e9 observ\u00e9 que plus de 37 000 appareils \u00e9taient encore compromis avec l&#8217;implant.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/cis-d\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/10\/1696132289_209_Les-Bing-Chat-Ads-de-Microsoft-alimentees-par-lIA-peuvent.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Cisco, de son c\u00f4t\u00e9, a <a rel=\"nofollow noopener\" href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-iosxe-webui-privesc-j22SaA4z\" target=\"_blank\">confirm\u00e9<\/a> le <a rel=\"nofollow noopener\" href=\"https:\/\/blog.talosintelligence.com\/active-exploitation-of-cisco-ios-xe-software\/\" target=\"_blank\">changement de comportement<\/a> dans ses avis mis \u00e0 jour, partageant une commande curl pouvant \u00eatre \u00e9mise depuis un poste de travail pour v\u00e9rifier la pr\u00e9sence de l&#8217;implant sur les appareils &#8211;<\/p>\n<blockquote><p><i>curl -k -H &#8220;Autorisation\u00a0: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb&#8221; -X POST &#8220;https:\/\/systemip\/webui\/logoutconfirm.html?logon_hash=1&#8221;<\/i><\/p><\/blockquote>\n<p>&#8220;Si la requ\u00eate renvoie une cha\u00eene hexad\u00e9cimale telle que 0123456789abcdef01, l&#8217;implant est pr\u00e9sent&#8221;, a not\u00e9 Cisco.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2023\/10\/backdoor-implant-on-hacked-cisco.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80224 octobre 2023\ue804R\u00e9dactionCybermenace\/vuln\u00e9rabilit\u00e9 La porte d\u00e9rob\u00e9e implant\u00e9e sur les appareils Cisco en exploitant deux failles zero-day dans le logiciel IOS XE a \u00e9t\u00e9 modifi\u00e9e par l&#8217;acteur malveillant afin d&#8217;\u00e9chapper \u00e0 la visibilit\u00e9 via les m\u00e9thodes d&#8217;empreintes digitales pr\u00e9c\u00e9dentes. &#8220;L&#8217;enqu\u00eate sur le trafic r\u00e9seau vers un appareil compromis a montr\u00e9 que l&#8217;acteur malveillant a mis \u00e0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":985464,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[200292,8737,5859,4168,4165,4161,200267,7084,133,41161,21314,210880,4159,4171,200271,200268,105216,200269,200270,4394,2742,185,128318,4172,4169,60,4166,4164],"class_list":["post-985463","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-sur-la-cybersecurite","tag-appareils","tag-cisco","tag-comment-pirater","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-cyberactualites","tag-derobee","tag-des","tag-detection","tag-echapper","tag-implantation","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-logiciel-malveillant-rancongiciel","tag-mises-a-jour-sur-la-cybersecurite","tag-modifies","tag-nouvelles-des-pirates","tag-nouvelles-sur-le-piratage","tag-pirates","tag-porte","tag-pour","tag-securite-des-informations","tag-securite-informatique","tag-securite-internet","tag-sur","tag-violation-de-donnees","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/985463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=985463"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/985463\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/985464"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=985463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=985463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=985463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}