Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime,
Governance & Risk Management
Unpatched Devices Since October 2023 Exhibit Vulnerabilities
The Australian Cyber Security Centre (ACSC) has issued a warning regarding ongoing attacks on unpatched Cisco IOS XE enterprise devices. Cybercriminals are deploying a malicious web shell, dubbed “BadCandy,” on these vulnerable systems.
As of late October, over 150 Cisco devices across Australia are reported to be compromised. While the web shell does not persist after a reboot, attackers take advantage of recently discovered vulnerabilities, specifically tracked as CVE-2023-20198 and CVE-2023-20273, to establish unauthorized local user accounts with full administrative privileges.
Cisco identified these significant flaws in October 2023, highlighting that exploitation does not require authentication (refer to Unpatched Zero-Day Being Exploited in the Wild, Cisco Warns).
The perpetrators are believed to be state-sponsored hackers from China, commonly referred to as Salt Typhoon, and they have successfully infiltrated extensive networks utilizing these vulnerabilities. A cybersecurity advisory issued by the Five Eyes intelligence alliance has listed CVE-2023-20198 among the most exploited vulnerabilities of 2023, indicating a trend of nation-state actors targeting networking and edge devices to establish persistent access to governmental and corporate infrastructures (see: State Hackers’ New Frontier: Network Edge Devices).
One notable tactic employed by the BadCandy hackers is known as a “non-persistent patch,” which they apply post-compromise. This action is intended to obscure the device’s true vulnerability status, according to the ACSC.
In light of this threat, organizations are urged to immediately implement the recommended patch and ensure that the Cisco web interface is not unnecessarily exposed to the internet. Admin accounts with generic names or string patterns—such as cisco_tac_admin, cisco_support, cisco_sys_manager, or even just cisco—could indicate malicious activity. System administrators should also review configurations for unknown tunnel interfaces and monitor their logs for suspicious activity.
This incident serves as a crucial reminder of the vulnerabilities inherent in unpatched systems. Maintaining robust cybersecurity measures is essential for safeguarding enterprise assets against evolving threats.
