News

ASD Alerts: BADCANDY Attacks Exploit Cisco IOS XE Vulnerability

Basio badrBasio badr
ago 9 hours
ASD Alerts: BADCANDY Attacks Exploit Cisco IOS XE Vulnerability

The Australian Signals Directorate (ASD) has raised alarms about a series of cyber attacks leveraging the BADCANDY implant. This malicious software exploits a critical vulnerability in Cisco IOS XE devices, identified as CVE-2023-20198.

Overview of the Cisco IOS XE Vulnerability

CVE-2023-20198 has a CVSS score of 10.0, marking it as a severe security risk. The flaw enables remote, unauthenticated attackers to create privileged accounts, allowing complete control over affected systems. Since 2023, this vulnerability has faced active exploitation, particularly by groups linked to China, such as Salt Typhoon.

BADCANDY Implant Details

The BADCANDY implant has been present since October 2023. Currently, ongoing attacks are being recorded continuously through 2024 and into 2025. ASD estimates that as of July 2025, approximately 400 devices in Australia have been compromised due to this malware. In October alone, 150 devices were reported infected.

Characteristics of BADCANDY

  • BADCANDY operates as a Lua-based web shell.
  • The implant employs non-persistent techniques, allowing it to be removed upon system reboots.
  • Despite being transient, unpatched devices remain susceptible to reinfection.

Risks and Mitigation

ASD highlights that threat actors have developed methods to detect when the BADCANDY implant is removed, leading to reinfection of devices. This situation underscores the critical need for robust security measures.

Recommended Actions for System Operators

  • Patch devices promptly to address CVE-2023-20198.
  • Limit public exposure to the web user interface.
  • Review configuration for accounts with privilege level 15 and eliminate unauthorized entries.
  • Remove suspicious accounts containing random strings or known defaults such as “cisco_tac_admin” or “cisco_support.”
  • Examine configuration for unknown tunnel interfaces.
  • Monitor TACACS+ AAA command accounting logs for unauthorized changes.

Implementing these strategies is vital to mitigate the risks posed by ongoing cyber threats like BADCANDY. System operators must remain vigilant and proactive to protect their infrastructures effectively.

Related Posts

Palantir: Investors Face Unavoidable AI Reality Check

Palantir: Investors Face Unavoidable AI Reality Check

Basio badr 3 Nov 2025

Ukraine Strikes Critical Fuel Pipeline Supplying Russian Forces Near Moscow

Ukraine Strikes Critical Fuel Pipeline Supplying Russia...

Basio badr 3 Nov 2025

Will Amazon’s Rally Persist? Insights from Expert Traders

Will Amazon’s Rally Persist? Insights from Expert Traders

Basio badr 3 Nov 2025

Fed’s Hawkish Stance Avoids Tech Sector Fallout

Fed’s Hawkish Stance Avoids Tech Sector Fallout

Basio badr 3 Nov 2025

Phil Rosenthal Set to Perform at Port Chester’s Capitol Theatre Nov. 7

Phil Rosenthal Set to Perform at Port Chester’s Capitol...

Basio badr 3 Nov 2025

Fed’s Hawkish Stance Avoids Tech Sector Disruption

Fed’s Hawkish Stance Avoids Tech Sector Disruption

Basio badr 3 Nov 2025