Urgent Security Alert: “BadCandy” Webshell Targets Critical Cisco IOS XE Flaw
Network administrators are on high alert as a new, sophisticated threat known as the “BadCandy” webshell is actively being deployed on compromised Cisco IOS XE devices. This malicious implant provides attackers with persistent, unauthorized access, turning a one-time breach into a long-term security nightmare. The attack leverages a previously identified critical vulnerability, making it essential for all organizations using these devices to take immediate action.
This two-stage attack is highly effective and dangerous. First, attackers exploit CVE-2023-20198, a severe privilege escalation vulnerability in the Web User Interface (Web UI) of Cisco IOS XE software. This initial flaw allows a remote, unauthenticated attacker to create a new user account on the device with the highest-level privileges. Once this foothold is established, the second stage begins: the deployment of the BadCandy webshell.
What is the BadCandy Webshell?
A webshell is a malicious script uploaded to a server that gives an attacker the ability to execute commands remotely. The BadCandy implant is a particularly stealthy and persistent tool. Once installed on a compromised Cisco device, it acts as a persistent backdoor, allowing attackers to:
- Execute arbitrary commands with elevated privileges.
- Modify or exfiltrate system files and network configurations.
- Establish long-term control over the device, even after a system reboot.
Because the webshell is persistent, simply rebooting a compromised device will not remove the threat. The implant is designed to survive restarts, ensuring the attacker maintains access until the device is properly cleaned and patched.
How to Determine if Your Devices Are Compromised
Proactive threat hunting is critical. System administrators should immediately investigate their Cisco IOS XE devices for any signs of compromise. Pay close attention to the following indicators:
- Unexplained User Accounts: Check for the presence of any new or unfamiliar local user accounts. The initial attack via CVE-2023-20198 relies on creating a rogue administrative account for access.
- Suspicious Log Entries: Review system logs for any web requests related to the webshell. The presence of unusual POST requests to URIs that don’t correspond with legitimate device functions is a major red flag.
- Presence of the Webshell File: The BadCandy implant has been identified by a specific file path. Check your system for a file located at
/usr/binos/conf/bws.lua. The existence of this Lua script is a definitive sign of a BadCandy infection.
Actionable Steps to Secure Your Network
Protecting your network infrastructure from this threat requires a multi-faceted approach. Waiting to act is not an option, as compromised devices can serve as a gateway for broader network infiltration.
Apply Patches Immediately: Cisco has released software updates to address the underlying CVE-2023-20198 vulnerability. Patching your systems is the most critical step to prevent initial compromise. Ensure all your IOS XE devices are running the latest, secured software version.
Disable Internet-Facing Web UI: As a crucial hardening measure, you should disable the HTTP/HTTPS server feature on all internet-facing systems. If you do not require remote management through the Web UI, turning it off completely eliminates this attack vector.
Conduct a Thorough Investigation: If you find any signs of compromise, you must assume your device and potentially your network have been breached. Isolate the affected device immediately to prevent lateral movement by the attacker. A full investigation should be conducted to determine the extent of the breach and identify any data that may have been exfiltrated.
Reboot and Restore with Caution: Remember that a simple reboot is not enough to remove the BadCandy webshell. After a confirmed compromise, the device must be wiped and restored from a known-good configuration after applying the necessary security patches.
The emergence of the BadCandy webshell highlights the growing trend of attackers deploying persistent implants following an initial exploit. This tactic maximizes their dwell time within a network, giving them ample opportunity to achieve their objectives. It is imperative that all network administrators act swiftly to patch, investigate, and harden their Cisco IOS XE devices against this ongoing threat.
Source: https://securityaffairs.com/184095/hacking/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government.html
