02 Nov
In the ever-evolving world of cybersecurity, the emergence of BADCANDY attacks marks a significant and concerning threat to network infrastructure. Specifically targeting Cisco IOS XE devices, these sophisticated exploits take advantage of a critical vulnerability designated as CVE-2023-20198. This article delves into the intricacies of the threat, its origins, and effective ways to mitigate risks.
Understanding BADCANDY Attacks
Since October 2023, cybersecurity analysts have observed a spike in BADCANDY malware activity. This malicious implant, described as a Lua-based web shell, is being used to compromise unpatched Cisco IOS XE devices. The CVE-2023-20198 vulnerability, with a severity rating of CVSS 10.0, allows unauthorized remote attackers to create privileged accounts, enabling complete control over targeted systems.
Highlighting the scope of the exploitation, nearly 400 devices in Australia were compromised as of July 2025, revealing the aggressive and persistent nature of these attacks. Evidence points to involvement by Salt Typhoon, a sophisticated China-linked actor group.
How the BADCANDY Implant Works
A unique feature of the BADCANDY malware is its inability to persist beyond system reboots. However, this does not diminish its effectiveness. Threat actors continuously monitor affected systems for malware removal and reinfect vulnerable devices when possible. This highlights the necessity of addressing the root issue – unpatched vulnerabilities.
Upon compromising a device, attackers often deploy temporary patches to obscure the system’s true vulnerability status. These actions make it challenging for organizations to detect that they have been compromised, paving the way for subsequent intrusions.
Impacts of BADCANDY on Organizations
The implications of BADCANDY attacks are wide-ranging and severe. Key consequences include:
- Unauthorized access to sensitive information transmitted over compromised networks;
- An increased risk of data manipulation or theft;
- Potential disruptions to critical services, especially in the telecommunications sector.
“The increasing sophistication of groups like Salt Typhoon highlights vulnerabilities that persist in patch-deprived systems,” a leading cybersecurity expert commented.
Steps to Protect Against BADCANDY
Effectively guarding against BADCANDY attacks requires a multi-layered strategy. The following measures are highly recommended:
- Apply the security patches released by Cisco to address CVE-2023-20198 without delay;
- Restrict public access to the web user interfaces of devices;
- Audit privileged accounts for unauthorized additions, such as “cisco_support” or “cisco_tac_admin,” and remove suspicious accounts immediately;
- Analyze TACACS+ AAA logs to detect unauthorized changes in configuration.
Additionally, following Cisco’s network hardening guidelines can help organizations fortify their defenses and reduce exposure to future vulnerabilities.
The Importance of Vigilance
Although a system reboot can temporarily remove the BADCANDY implant, underlying vulnerabilities and potential backdoor actions taken by attackers often remain intact. This underscores the importance of proactive measures—not just applying patches but maintaining continuous monitoring and detecting potential breaches.
How Lynx Intel Can Help You
At Lynx Intel, we recognize the critical need to protect your organization’s infrastructure from sophisticated modern threats. Our proactive intelligence and surveillance services are designed to help you identify threats and neutralize them effectively before they escalate into large-scale cybersecurity incidents.
By combining cutting-edge risk management tools with years of expertise, we customize security strategies tailored to your specific needs. This ensures your operations remain seamless and your sensitive data stays secure.
Conclusion
BADCANDY attacks exploiting the CVE-2023-20198 vulnerability underline the risks associated with neglecting critical updates. As cybercriminals become increasingly innovative and persistent, adopting robust, proactive solutions remains the most effective defense against such threats. Partnering with experts like Lynx Intel not only strengthens your organization’s resilience but ensures the long-term safety of your critical infrastructure in today’s ever-changing cybersecurity landscape.
