Full Report
PLUS: Cyber-exec admits selling secrets to Russia; LastPass isn't checking to see if you're dead; Nation-state backed Windows malware; and more Infosec in brief Australia’s Signals Directorate (ASD) last Friday warned that attackers are installing an implant named “BADCANDY” on unpatched Cisco IOS XE devices and can detect deletion of their wares and reinstall their malware.…
Analysis Summary
# Incident Report: Nation-State Actor Targeting Cisco IOS XE with Persistent Implant
## Executive Summary
Unknown, potentially nation-state actors are actively exploiting unpatched Cisco IOS XE devices using the critical vulnerability CVE-2023-20198 to install a persistent malware implant named "BADCANDY." A key feature of this attack is the implant's ability to detect removal (such as system reboots) and automatically reinstall itself, indicating a sophisticated persistence mechanism aimed at maintaining long-term access. The primary response action highlighted by the Australian Signals Directorate (ASD) is immediate patching to prevent re-exploitation.
## Incident Details
- Discovery Date: Last Friday (prior to the article date of Sun 2 Nov 2025)
- Incident Date: Ongoing exploitation activity
- Affected Organization: Organizations running unpatched Cisco IOS XE devices globally.
- Sector: Undisclosed, but likely impacts any organization utilizing vulnerable networking infrastructure.
- Geography: Global, as reported by the Australian Signals Directorate (ASD).
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly dated, but ongoing prior to the ASD warning last Friday.
- Vector: Exploitation of **CVE-2023-20198** in Cisco IOS XE software.
- Details: Attackers exploit the web UI feature, which has a CVSS score of 10.0, allowing for system takeover.
### Lateral Movement
- Not detailed in the provided extract, but subsequent actions are implied via malware installation.
### Data Exfiltration/Impact
- The primary immediate impact is the persistent compromise of network devices via the BADCANDY implant.
- Details regarding specific data exfiltration are not provided, but control over the device is achieved.
### Detection & Response
- **Detection:** Warned by Australia’s Signals Directorate (ASD).
- **Response actions taken (Recommended):** Patching against CVE-2023-20198 is essential to stop re-exploitation. Rebooting infected devices removes BADCANDY temporarily but does not fix the underlying vulnerability.
## Attack Methodology
- **Initial Access:** Exploitation of **CVE-2023-20198** via the Cisco IOS XE web UI.
- **Persistence:** Installation of the **BADCANDY** implant, which actively detects and counters removal attempts (including reboots) by re-exploiting the device.
- **Privilege Escalation:** Successful exploitation of the critical vulnerability grants control over the system.
- **Defense Evasion:** The implant has mechanisms to maintain presence even after disruption (e.g., reboot).
- **Lateral Movement:** Not specified.
- **Discovery:** Not specified.
- **Collection/Impact:** Installation of a persistent implant.
## Impact Assessment
- **Financial:** Not estimated, but costs associated with forensic investigation and remediation are implied.
- **Data Breach:** Control over network infrastructure achieved. Specific data loss unknown.
- **Operational:** Persistent compromise of critical network devices poses significant ongoing operational risk.
- **Reputational:** Public advisory issued by a national security agency indicates a high-severity, widely recognized threat.
## Indicators of Compromise
- **Network indicators:** Access targeting Cisco IOS XE web UI interfaces.
- **File indicators:** Presence of the BADCANDY implant.
- **Behavioral indicators:** Detection of implant removal followed by immediate re-exploitation attempts.
## Response Actions
- **Containment measures:** Immediate isolation and patching of all vulnerable Cisco IOS XE devices.
- **Eradication steps:** Rebooting infected devices is mentioned as a temporary measure to remove the implant, but primary eradication requires patching the vulnerability.
- **Recovery actions:** Applying patches for CVE-2023-20198 across all affected inventory.
## Lessons Learned
- The use of critical, easily exploitable vulnerabilities (CVSS 10.0) remains a primary vector for sophisticated actors.
- Threat actors are developing highly adaptive malware (like BADCANDY) capable of monitoring defensive actions (like rebooting) and actively thwarting remediation efforts, necessitating a focus on patching over simple restarts.
- Reliance on temporary fixes (like rebooting) will lead to immediate re-compromise if the root vulnerability is not addressed.
## Recommendations
- Immediately inventory and patch all Cisco IOS XE devices against **CVE-2023-20198**.
- Implement enhanced network monitoring to detect anomalous activity on management interfaces of network devices.
- Assume that security events that appear resolved by a simple reboot require deep forensic confirmation that the underlying vulnerability has been remediated.