The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued a high-severity alert regarding a webshell named BadCandy. This webshell is being actively deployed on unpatched Cisco IOS XE devices that are vulnerable to the critical remote code execution flaw tracked as CVE-2023-20198.

The alert follows observations of threat actors exploiting the vulnerability to gain initial access to the networking devices. Once access is established, the attackers deploy the BadCandy webshell, also identified by the filename gate.php, to maintain persistence and control over the compromised systems.

BadCandy Webshell Functionality and Deployment

BadCandy is a Lua-based webshell specifically designed for Cisco IOS XE. Its primary function is to allow an attacker to execute arbitrary commands on the affected device with elevated, or root, privileges. This level of access gives the threat actor significant control over the network infrastructure.

The deployment of this webshell is a post-exploitation action. Attackers first leverage the CVE-2023-20198 vulnerability to gain a foothold. Following this initial compromise, the BadCandy implant is installed, providing a stable backdoor for the malicious actor to interact with the device’s operating system.

Official Attribution and Mitigation Guidance

The ACSC has attributed this malicious activity to a state-sponsored threat actor originating from China. This attribution aligns with findings from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which also linked the actor to the exploitation of the same Cisco vulnerability.

In response to the active threat, the Australian government’s advisory urges all organizations using affected Cisco IOS XE devices to take immediate action. The primary recommendation is to apply the security patches released by Cisco to fix the CVE-2023-20198 vulnerability. Additionally, the ACSC advises organizations to actively hunt for Indicators of Compromise (IoCs) provided in their alert to detect any signs of a successful breach.

Source: https://securityaffairs.com/184095/hacking/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government.html