From 4c9f9bf81d84f09f43353fa2c780aea095116a19 Mon Sep 17 00:00:00 2001
From: Maximand <max@divd.nl>
Date: Wed, 18 Oct 2023 14:40:55 +0200
Subject: [PATCH 1/2] Cisco IOS-XE casefile

---
 _cases/2023/DIVD-2023-00038.md | 58 ++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 _cases/2023/DIVD-2023-00038.md

diff --git a/_cases/2023/DIVD-2023-00038.md b/_cases/2023/DIVD-2023-00038.md
new file mode 100644
index 00000000..c4348369
--- /dev/null
+++ b/_cases/2023/DIVD-2023-00038.md
@@ -0,0 +1,58 @@
+---
+layout: case
+title: Global Cisco IOS-XE (CVE-2023-20198) Implants
+excerpt: "An unknown threat actor is using a recent authentication bypass vulnerability (CVE-2023-20198) on Cisco IOS-XE to backdoor Cisco appliances worldwide. "
+author: Max van der Horst
+lead: Ralph Horn, Max van der Horst
+researchers:
+- Ralph Horn
+- Max van der Horst
+cves:
+- CVE-2023-20198
+product: 
+- Cisco IOS-XE
+versions: 
+- All versions of Cisco IOS-XE
+recommendation: Disable the Cisco WebUI and remove all management interfaces from the public Internet. If you have found an implant, consider starting your Incident Response procedure.
+patch_status: patch unavailable
+workaround: Disable HTTP(S) management interface access or implement an Access Control List.  
+status : Open
+start: 2023-10-17
+end: 
+timeline:
+- start: 2023-10-17
+  end:
+  event: "DIVD starts researching CVE-2023-20198."
+- start: 2023-10-17
+  end:
+  event: "DIVD takes note of growing level of implants."
+- start: 2023-10-18
+  end:
+  event: "DIVD starts scanning for implants."
+
+# You can set IPs to n/a when this case isn't about IPs (e.g. stolen credentials)
+---
+## Summary
+
+On October 16th, Cisco disclosed an authentication bypass vulnerability affecting Cisco IOS-XE appliances with CVE-ID CVE-2023-20198. An unknown threat actor is actively placing implants on the vulnerable appliances worldwide. This is a serious situation as implants allow threat actors to monitor traffic, gain access to the underlying system and pivot into protected networks. For additional guidance, please find the Cisco PSIRT advisory at the bottom of this page.
+
+## Recommendations
+
+Given that no patch is yet available, disable HTTP(S) access to any management interfaces if possible. If HTTP(S) access is required, implement an Access Control List to limit access.
+
+## What we are doing
+
+DIVD is scanning for implants on public-facing systems. Owners of such systems will receive a notification with this casefile and remediation steps.
+
+
+{% comment %}  Leave this here, so we see a timeline {% endcomment %}
+{% include timeline.html %}
+
+
+## More information
+
+* [CVE-2023-20198](https://nvd.nist.gov/vuln/detail/CVE-2023-20198)
+* [VulnCheck Blog](https://vulncheck.com/blog/cisco-implants)
+* [Talos Blog](https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/)
+* [Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)
+

From 57d257538f317981ca66b0efcc407b4272a3f04a Mon Sep 17 00:00:00 2001
From: Ralph <mail@rshorn.nl>
Date: Wed, 18 Oct 2023 14:45:24 +0200
Subject: [PATCH 2/2] Update DIVD-2023-00038.md

---
 _cases/2023/DIVD-2023-00038.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/_cases/2023/DIVD-2023-00038.md b/_cases/2023/DIVD-2023-00038.md
index c4348369..1d567da6 100644
--- a/_cases/2023/DIVD-2023-00038.md
+++ b/_cases/2023/DIVD-2023-00038.md
@@ -34,11 +34,11 @@ timeline:
 ---
 ## Summary
 
-On October 16th, Cisco disclosed an authentication bypass vulnerability affecting Cisco IOS-XE appliances with CVE-ID CVE-2023-20198. An unknown threat actor is actively placing implants on the vulnerable appliances worldwide. This is a serious situation as implants allow threat actors to monitor traffic, gain access to the underlying system and pivot into protected networks. For additional guidance, please find the Cisco PSIRT advisory at the bottom of this page.
+On October 16th, Cisco disclosed an authentication bypass vulnerability affecting Cisco IOS-XE appliances with CVE-ID CVE-2023-20198. An unknown threat actor is actively placing implants on the vulnerable appliances worldwide. This is a serious situation as implants allow threat actors to monitor traffic, gain access to the underlying system and move into protected networks. For additional guidance, please find the Cisco PSIRT advisory at the bottom of this page.
 
 ## Recommendations
 
-Given that no patch is yet available, disable HTTP(S) access to any management interfaces if possible. If HTTP(S) access is required, implement an Access Control List to limit access.
+No patch is currently available, therefore disable HTTP(S) access to any management interfaces if possible. If HTTP(S) access is required, implement an Access Control List to limit access.
 
 ## What we are doing