A critical vulnerability in Cisco IOS XE is being exploited to install an implant called BadCandy in a renewed wave of attacks, according to warnings from Australian government authorities and multiple security researchers.
State-linked and criminal hackers have been abusing the vulnerability, tracked as CVE-2023-20198, to install BadCandy in targeted systems since 2023, and have periodically renewed those attacks in waves.
The Australian Signals Directorate warned that more than 400 devices have potentially been compromised in that country since July. As of October, more than 150 devices remained compromised, according to an advisory issued on Friday.
Shadowserver Foundation on Monday warned that threat activity is widespread across the globe, with more than 15,000 devices with backdoor implants remaining visible.
The vulnerability, tracked as CVE-2023-20198, abuses the web user interface in Cisco IOS XE software and has a severity score of 10. It was previously disclosed as a zero-day in 2023, with more than 42,000 devices exploited.
Earlier this year, researchers at GreyNoise tied a series of attacks on Cisco gear to a campaign linked to Salt Typhoon, a state-backed group in China behind a campaign that hit major telecom providers in the U.S. in 2024.
Rapid7 has observed what it calls “CN Clustered activities” related to a state-sponsored actor that researchers connect to China, but it cannot definitively attribute the activity to a specific group, Christiaan Beek, senior director, threat intelligence and analytics at Rapid7, told Cybersecurity Dive.
Beek cautioned that it’s important to make a distinction between scanning activity and confirmed exploitation, unless there is confirmation regarding post-exploitation activity or specific execution of commands.
A spokesperson for the Cybersecurity and Infrastructure Security Agency said the agency had no new information on threat activity related to BadCandy.
CISA added the Cisco flaw to its Known Exploited Vulnerabilities catalog in 2023 and provided additional mitigation guidance at the time.
Australian authorities said rebooting a device will remove the infection. Attackers who have gained access to credentials or found another way to maintain persistence, however, may still be able to remain inside a device.