The number of Cisco IOS XE devices impacted by a malicious backdoor implant has significantly decreased from over 50,000 to only a few hundred, leaving researchers puzzled about the cause behind this sharp decline, as reported by BleepingComputer.

Earlier this week, Cisco issued a warning regarding the exploitation of two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, which resulted in the hacking of over 50,000 Cisco IOS XE devices. These attacks aimed to create privileged user accounts and install a malicious LUA backdoor implant.

Since the disclosure of these vulnerabilities, cybersecurity experts have examined publicly exposed Cisco ISO XE devices and discovered that approximately 60,000 out of the 80,000 devices were compromised with the backdoor implant.

However, on Saturday, several cybersecurity organizations reported a sudden drop in the number of Cisco IOS XE devices affected by the implant. According to different scans, the count has fallen to a range of only 100 to 1,200 devices.

Comments from industry experts shed light on potential reasons behind this decline. Patrice Auffret, the Founder & CTO of Onyphe, expressed his belief that the threat actors responsible for the attacks are deploying updates to conceal their presence, hence making the malicious implants undetectable during scans. Auffret stated, "They are probably deploying an update to hide their presence."

Piotr Kijewski, the CEO of The Shadowserver Foundation, confirmed the drop in implants since October 21st. Their scans have shown a decrease to only 107 devices still impacted by the malicious implant. Kijewski suggested that the implant might have been removed or updated in some way.

Another theory put forward by some researchers is the possibility of a gray-hat hacker automatically rebooting the compromised Cisco IOS XE devices to eliminate the implant. This scenario draws a parallel to a similar campaign observed in 2018, where a hacker claimed to have protected 100,000 MikroTik routers from cryptojacking and DDoS attacks.

However, Orange Cyberdefense CERT for the Orange Group dismissed the theory of a gray-hat hacker's involvement in the decline of implants. Instead, they proposed that this could be a new phase of exploitation aimed at hiding the implant traces.

At present, various theories exist, but without further analysis conducted by Cisco or other researchers on previously compromised Cisco IOS XE devices, it is challenging to determine the exact cause for this drastic reduction.

BleepingComputer reached out to Cisco for comments regarding the decline in implants but has not yet received a response.

The sudden drop in the number of hacked Cisco IOS XE devices raises intriguing questions about the actions taken by threat actors or possibly unknown forces attempting to manipulate the situation. The cybersecurity community eagerly awaits further updates and insights into the situation to shed light on these mysterious events.