What's Happening?
More than 150 Cisco routers and switches in Australia remain infected with the BADCANDY webshell, despite the availability of patches for over two years. The Australian Signals Directorate's Cybersecurity Centre has reported a decrease in compromised
devices from over 400 initially, but many remain unpatched. The BADCANDY vulnerability, first identified by Cisco Talos researchers in October 2023, allows attackers to create administrator accounts and fully compromise devices. The vulnerability is actively exploited, with re-infections occurring even after initial removal. The implant is attractive to both criminal and state-sponsored actors due to its low technical sophistication requirements. The Australian Signals Directorate has identified China's Salt Typhoon hacking group as one of the actors using this exploit for espionage.
Why It's Important?
The persistence of the BADCANDY exploit poses significant risks to network security, potentially allowing unauthorized access to sensitive data and enabling further cyberattacks. The vulnerability's exploitation by state-sponsored groups highlights the geopolitical dimensions of cybersecurity threats. Organizations using Cisco devices are at risk of data breaches and operational disruptions, which could have broader implications for national security and economic stability. The situation underscores the importance of timely patch management and robust cybersecurity practices to protect critical infrastructure.
What's Next?
Organizations are advised to review their configurations for suspicious accounts and apply the necessary patches to prevent re-exploitation. The Australian Signals Directorate recommends restricting access to the web user interface and investigating unknown tunnel interfaces. Continued vigilance and proactive measures are essential to mitigate the risks associated with the BADCANDY exploit and similar vulnerabilities.
