What's Happening?
The Australian Signals Directorate's Cybersecurity Centre (ACSC-ASD) has issued a warning regarding the ongoing infection of over 150 Cisco routers and switches in Australia with the BADCANDY webshell.
Despite the availability of patches for more than two years, these devices remain vulnerable. Initially discovered in October 2023, the BADCANDY implant exploits the CVE-2023-20198 vulnerability, which has a maximum severity score of 10.0. This vulnerability allows attackers to create administrator accounts, execute commands remotely, and fully compromise affected devices. The BADCANDY implant, based on the Lua programming language, is noted for its ease of deployment, making it attractive to both criminal and state-sponsored actors. The ACSC-ASD has identified China's Salt Typhoon hacking group as one of the entities using this vulnerability for espionage. The agency advises organizations to apply the necessary patches and restrict access to the web user interface to prevent re-exploitation.
Why It's Important?
The persistent vulnerability of Cisco devices to the BADCANDY webshell poses significant risks to network security, potentially affecting both public and private sectors. The ability of threat actors to intercept network traffic and move laterally within networks can lead to severe data breaches and espionage activities. This situation underscores the critical need for organizations to maintain up-to-date security measures and apply patches promptly. The involvement of state-sponsored groups like China's Salt Typhoon highlights the geopolitical dimensions of cybersecurity threats, emphasizing the importance of international cooperation in addressing such vulnerabilities. The ongoing exploitation of this vulnerability could have far-reaching implications for global cybersecurity, affecting trust in digital infrastructure and potentially leading to economic and political repercussions.
What's Next?
Organizations are urged to review their network configurations for suspicious accounts and unknown tunnel interfaces, as these may indicate compromise. The ACSC-ASD recommends applying the patch for CVE-2023-20198 and restricting access to the web user interface to mitigate the risk of re-infection. Continued vigilance and proactive security measures are essential to protect against future threats. The situation may prompt further international collaboration to address the broader issue of cybersecurity vulnerabilities and the role of state-sponsored actors in exploiting them.
