ASD Warns of Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability

ASD Warns of Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability

The Australian Signals Directorate (ASD) has issued a critical warning about ongoing cyberattacks leveraging the BADCANDY malware to exploit a severe vulnerability in Cisco IOS XE devices, specifically CVE-2023-20198. This flaw allows attackers to gain elevated privileges remotely, leading to persistent threats in Australia’s network infrastructure.

---

Vulnerability Overview

CVE-2023-20198: Critical Flaw in Cisco IOS XE

• CVSS Score: 10.0 (highest severity)
• Nature: Remote code execution vulnerability enabling unauthenticated attackers to create admin accounts.
• Impact: Attackers can seize control of devices, install malware (BADCANDY), and maintain access even after temporary fixes.
• Exploitation Timeline:
  • First identified in 2023.
  • Actively exploited by China-linked threat actors (e.g., Salt Typhoon) since 2023.
  • Ongoing attacks reported in 2024 and 2025.

---

Attack Details

BADCANDY Malware Characteristics

• Type: Non-persistent Lua-based web shell.
• Function: Allows attackers to execute arbitrary commands on compromised devices.
• Persistence Mechanism:
  • No persistence across reboots.
  • Attackers re-infect devices if vulnerabilities remain unpatched.
• Infection Scale:
  • 400 devices compromised in Australia by July 2025.
  • 150 new infections in October 2025 alone.

Attack Lifecycle

1. Initial Exploitation: CVE-2023-20198 is used to create a backdoor (admin account).
2. Malware Deployment: BADCANDY is installed to maintain access.
3. Post-Compromise Actions:
   • Attackers apply non-persistent patches to hide vulnerability status.
   • Re-infection occurs if devices remain unpatched and exposed to the internet.
4. Detection: ASD confirmed re-exploitation on previously notified devices, indicating attackers monitor for patching.

---

ASD Response and Recommendations

Mitigation Strategies

• Patch Management:
  • Apply Cisco’s official patches for CVE-2023-20198 immediately.
  • Verify patch status using Cisco’s advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20230802-iosxe.
• Network Hardening:
  • Limit public exposure of the web user interface (e.g., restrict access to trusted IPs).
  • Disable unnecessary services and interfaces.
• Configuration Review:
  • Action Items:
    • Audit running configurations for unexpected admin accounts (e.g., “cisco_tac_admin,” “cisco_support”).
    • Remove accounts with privilege level 15 unless explicitly required.
    • Check for unknown tunnel interfaces or suspicious TACACS+ AAA logs.

ASD’s Key Findings

• BADCANDY’s non-persistent nature means reboots do not remove it, but re-exploitation is possible if vulnerabilities persist.
• Attackers actively monitor for patching and re-infect devices, highlighting the need for proactive defense.

---

Practical Recommendations for Organizations

• Prioritize Patching: Apply patches within 48 hours of disclosure for critical vulnerabilities.
• Continuous Monitoring: Use intrusion detection systems (IDS) to flag unusual admin account creation or Lua script activity.
• Incident Response: If BADCANDY is detected, isolate the device, investigate logs, and apply patches before rebooting to prevent re-infection.
• Training: Educate administrators on identifying and mitigating web shell implants and privilege escalation risks.

---

Reference

ASD Warns of Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability