Malware Creators Monitor Your Attempts to Erase Their Code
Recent cybersecurity developments have heightened concerns about the resilience of malicious software. Specifically, a new implant named “BADCANDY” has been detected on unpatched Cisco IOS XE devices. This implant allows attackers to monitor efforts to erase their code and reintroduce their malware.
Overview of BADCANDY Implant
The Australian Signals Directorate (ASD) reported that BADCANDY can identify attempts to remove it from infected devices. This implant exploits a vulnerability, known as CVE-2023-20198, classified as critical with a CVSS score of 10.0. Attackers can exploit this vulnerability to gain control over affected systems.
Vulnerability Exploitation
- Target: Unpatched Cisco IOS XE devices
- Exploited Vulnerability: CVE-2023-20198 (originally identified in 2018)
- Implication: Attackers can regain control after attempted deletions
The ASD emphasizes that rebooting an infected device only removes the BADCANDY implant temporarily. It does not address the initial vulnerability exploited for access. In fact, rebooting may alert attackers, prompting them to employ more aggressive hacking methods.
Need for Immediate Patching
The advisory from the ASD stresses the urgency of patching devices against CVE-2023-20198. This action is vital to prevent re-exploitation by threat actors using the BADCANDY implant.
Additional Cybersecurity Threats
Other serious incidents have emerged within the cybersecurity landscape. An executive from the defense contractor L3Harris pleaded guilty to selling sensitive cyber tools to a Russian company. Peter Williams, based in Washington, D.C., admitted to transmitting trade secrets focused on national security in exchange for approximately $1.3 million in cryptocurrency.
Implications of Cyber Espionage
- Accused: Peter Williams
- Charges: Two counts of theft of trade secrets
- Potential Sentence: Over 11 years in prison
- Amount Received: $1.3 million
In a separate development, Palo Alto Networks revealed threats linked to a malware strain named “Airstalk.” It is suspected that a nation-state actor is deploying this malware to exploit vulnerabilities within Omnissa’s Workspace ONE software.
Key Features of Airstalk
- Functionality: Exfiltrates sensitive data, including cookies and browsing history
- Variants: Powershell and .NET, with .NET being more sophisticated
- Potential Risk: Evasion of detection measures
As cybersecurity threats evolve, individuals and organizations must remain vigilant. Addressing vulnerabilities, such as CVE-2023-20198, is essential to protect against malicious implants like BADCANDY and other sophisticated attacks.
