Full Report
The Australian Signals Directorate (ASD) has issued a bulletin about ongoing cyber attacks targeting unpatched Cisco IOS XE devices in the country with a previously undocumented implant known as BADCANDY. The activity, per the intelligence agency, involves the exploitation of CVE-2023-20198 (CVSS score: 10.0), a critical vulnerability that allows a remote, unauthenticated attacker to create an
Analysis Summary
# Incident Report: Ongoing BADCANDY Exploitation of Cisco IOS XE
## Executive Summary
Unpatched Cisco IOS XE devices are being actively exploited globally, including in Australia, utilizing the undocumented implant known as BADCANDY. The attacks leverage the critical, remotely exploitable vulnerability CVE-2023-20198 to gain authenticated, high-privilege control over affected routers. Detection efforts indicate significant compromise in Australia, necessitating immediate patching and configuration review to prevent recurrence.
## Incident Details
- **Discovery Date:** Variations of BADCANDY detected starting October 2023.
- **Incident Date:** Active exploitation in the wild since late 2023, with recent surges in 2024 and 2025 (e.g., 150 devices compromised in October 2025 alone).
- **Affected Organization:** Cisco IOS XE device owners; specific entities include telecommunications providers targeted by associated threat actors.
- **Sector:** Primarily networking infrastructure operators (including telecommunications).
- **Geography:** Global; specifically highlighted in Australia.
## Timeline of Events
### Initial Access
- **Date/Time:** Since late 2023, continuing through 2025.
- **Vector:** Exploitation of **CVE-2023-20198**.
- **Details:** A unauthenticated, remote attacker exploits a critical vulnerability (CVSS 10.0) to create an account with elevated privileges on the Cisco IOS XE device.
### Lateral Movement
- The provided information focuses heavily on initial compromise and persistence via the implant, not detailed lateral movement patterns across the wider network, though privilege escalation to seize control of the device is achieved.
### Data Exfiltration/Impact
- While specific data exfiltration details are not provided, the impact is system compromise and control over the networking device, allowing for persistence across reboots if the system remains unpatched.
### Detection & Response
- **How it was discovered:** Detected by the Australian Signals Directorate (ASD) through monitoring and analysis of network activity.
- **Response actions taken:** ASD issued a bulletin warning organizations, advising immediate patching, review of configurations for unauthorized accounts, and removal of unknown tunnel interfaces.
## Attack Methodology
- **Initial Access:** Exploitation of **CVE-2023-20198** (unauthenticated remote code execution leading to account creation).
- **Persistence:** Achieved via the **BADCANDY** implant (a low-equity, Lua-based web shell). *Note: The implant itself is non-persistent across reboots, but actors re-introduce it immediately if unpatched.*
- **Privilege Escalation:** Implicitly achieved by exploiting CVE-2023-20198 to create an account with elevated privileges, seizing control of susceptible systems.
- **Defense Evasion:** Attackers applied a **non-persistent patch** post-compromise to hide the known vulnerability status of the device.
- **Credential Access:** Not explicitly detailed, but system control implies the ability to harvest credentials or administrative access.
- **Discovery:** Unknown, but device control suggests internal configuration review post-exploitation.
- **Lateral Movement:** Not detailed in the source material.
- **Collection:** Not detailed in the source material.
- **Exfiltration:** Not detailed in the source material.
- **Impact:** Device hijacking and maintenance of access via implant re-introduction.
## Impact Assessment
- **Financial:** Not publicly quantified, but costs associated with incident response, remediation (patching), and potential service disruption are implied.
- **Data Breach:** Severity hinges on what data the router controlled or accessed; potential exposure of network routing data or management credentials.
- **Operational:** Direct operational impact on network availability and security integrity due to device compromise.
- **Reputational:** Direct impact on organizations whose externally facing infrastructure was compromised via this critical flaw.
## Indicators of Compromise
- **Network indicators:** (None explicitly provided in defanged format)
- **File indicators:** Presence of the **BADCANDY** implant (a low-equity Lua-based web shell).
- **Behavioral indicators:** Unexpected user accounts on the device, especially those with names like "cisco\_tac\_admin," "cisco\_support," or random strings with privilege 15 access.
## Response Actions
- **Containment measures:** Immediate discovery of the implant indicates compromise; operators must remove the implant and secure the system.
- **Eradication steps:** Apply necessary patches for CVE-2023-20198; review and remove unauthorized or suspicious high-privilege accounts (Priv 15).
- **Recovery actions:** Review TACACS+ AAA command accounting logging for configuration changes.
## Lessons Learned
- **Key takeaways:** Zero-day exploitation (or undocumented implants targeting known critical flaws) requires immediate attention, regardless of CVSS scores being widely publicized. The persistence mechanism being non-reboot-surviving does not negate the threat if the vulnerability remains exposed.
- **What could have been done better:** Organizations must prioritize patching critical, remote-exploitable vulnerabilities immediately, rather than waiting for advanced detection techniques to catch secondary implants.
## Recommendations
- Immediately apply all security updates released by Cisco for IOS XE addressing CVE-2023-20198.
- Limit public exposure of the Cisco IOS XE web user interface.
- Conduct a manual configuration audit to remove all unexpected/unapproved accounts, specifically looking for accounts matching known suspicious patterns ("cisco\_support," etc.) or possessing Privilege 15.
- Review running configuration for unknown tunnel interfaces.