Over the weekend, reports emerged that the number of backdoored Cisco IOS XE devices compromised via two recently disclosed zero-day vulnerabilities decreased from over 42,000 to mere hundreds. Some security researchers suggested that the implant was either removed, updated or many hacked devices were used as a ruse to hide real targets.

NCC Group's Fox-IT team reported on Monday that they observed the backdoor on infected devices being modified to check for an Authorization HTTP header value before responding.

“Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check. Thus, for a lot of devices, the implant is still active, but now only responds if the correct Authorization HTTP header is set,” the company said, adding that using another fingerprinting method it identified 37, 890 hacked Cisco devices.

Earlier this week, Cisco revealed that hackers exploited two zero-day vulnerabilities (CVE-2023-20198 and CVE-2023-20273) to breach Cisco IOS XE devices to create privileged user accounts and install a LUA backdoor.

Now, the company has updated its security advisory to include a curl command, which includes an 'Authorization' header, to check for the presence of the implant on the devices.

If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present, Cisco said.