Ethical Hacking News
Australian Signals Directorate (ASD) issues warning about ongoing BADCANDY attacks exploiting critical Cisco IOS XE vulnerability, impacting thousands of devices across several countries.
Australia's ASD has issued a critical warning about BADCANDY cyber attacks targeting unpatched Cisco IOS XE devices. The attack utilizes CVE-2023-20198 vulnerability, allowing remote attackers to gain elevated privileges and control systems. Approximately 400 Australian devices have been compromised by BADCANDY malware since July 2025. The lack of persistence mechanism means the malware cannot survive across system reboots. Steps for mitigation include reviewing account configurations, patching CVE-2023-20198, and implementing hardening measures.
The Australian Signals Directorate (ASD) has issued a critical warning about ongoing cyber attacks targeting unpatched Cisco IOS XE devices in the country, as well as several other nations. The attack, which has been identified as "BADCANDY," utilizes a previously undocumented vulnerability known as CVE-2023-20198, which allows remote, unauthenticated attackers to create an account with elevated privileges and seize control of susceptible systems.
The ASD bulletin notes that the activity surrounding BADCANDY began in 2023, with China-linked threat actors such as Salt Typhoon weaponizing the vulnerability in recent months to breach telecommunications providers. The attack has continued to evolve since then, with fresh sets of attacks being recorded in 2024 and 2025.
According to the ASD, approximately 400 devices in Australia have been compromised by BADCANDY malware since July 2025, with 150 devices infected in October alone. The agency notes that the lack of persistence mechanism means the malware cannot survive across system reboots, but if a device remains unpatched and exposed to the internet, it is possible for the threat actor to re-introduce the malware and regain access.
One of the key characteristics of BADCANDY, as identified by the ASD, is its ability to detect when the implant is removed and then re-infecting devices. This highlights the importance of prompt patching and hardening measures to prevent future exploitation attempts.
To mitigate this threat, the ASD recommends several steps for system operators:
1. Review the running configuration for accounts with privilege 15 and remove any unexpected or unapproved accounts.
2. Review accounts with random strings or specific user names like "cisco_tac_admin," "cisco_support," "cisco_sys_manager," or "cisco" and remove them if not legitimate.
3. Review the running configuration for unknown tunnel interfaces.
4. Review TACACS+ AAA command accounting logging for configuration changes, if enabled.
Additionally, the ASD advises patching CVE-2023-20198 as soon as possible to prevent further exploitation of this critical vulnerability.
The BADCANDY attacks serve as a reminder of the importance of proactive cyber security measures and staying up-to-date with the latest software patches. System operators must take immediate action to protect their devices from these ongoing threats and ensure that they are adequately prepared for future attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Australian-Signals-Directorate-Warns-of-Ongoing-BADCANDY-Attacks-Exploiting-Critical-Cisco-IOS-XE-Vulnerability-ehn.shtml
Published: Sat Nov 1 15:38:10 2025 by llama3.2 3B Q4_K_M
