Security

Cisco Warning: Hackers Reinstall Malware After Reboot

Krishn patel

Krishn patel

2 min read
Warning: Rebooting Your Cisco Device Isn't Enough—Hackers Are Just Getting Started
Rebooted your Cisco device? The hackers already know.
  • Attackers are actively exploiting a critical vulnerability (CVE-2023-20198) in unpatched Cisco IOS XE devices.
  • A malware implant named “BADCANDY” is being deployed, which can be reinstalled by attackers even after an infected device is rebooted.
  • Australia’s Signals Directorate (ASD) has issued an urgent advisory, stating that rebooting is an inadequate defense and only patching the vulnerability will prevent re-exploitation.
  • The flaw, rated 10.0 for severity, allows attackers to gain complete control of a system through its web UI feature.

A Relentless Threat for Unpatched Cisco Devices

Australia’s Signals Directorate (ASD) issued a stark warning on Friday regarding a persistent and intelligent cyberattack targeting unpatched Cisco IOS XE devices. According to the advisory, unknown threat actors are exploiting a critical vulnerability to install malware and have developed a method to ensure their malicious code remains on the device, even when administrators attempt to remove it.

The 'BADCANDY' Implant and CVE-2023-20198

The core of the attack revolves around CVE-2023-20198, a severe vulnerability with a 10.0 CVSS rating. This flaw allows attackers to exploit the web UI feature in Cisco's IOS XE software, effectively granting them full control of the system. Once they gain access, the attackers deploy a malware implant known as “BADCANDY.”

This particular vulnerability is not new and has been identified as a favorite tool of sophisticated hacking groups, including the notorious Salt Typhoon gang, highlighting the serious and professional nature of the actors behind these campaigns.

Why Rebooting Is a Deceptive and Dangerous Solution

While rebooting an infected Cisco device will temporarily remove the BADCANDY implant, the ASD warns this action is a dangerously false sense of security. The agency believes the attackers have a mechanism to detect when their implant has been removed and are actively re-exploiting the unpatched vulnerability to reinstall it.

“ASD believes actors are able to detect when the BADCANDY implant is removed and are re-exploiting the devices,” the official advisory states. Rebooting not only fails to fix the underlying problem but may also alert the attackers that the device is being monitored, potentially prompting them to use more aggressive or stealthy techniques to maintain control.

Patching is the Only Real Defense

The advisory makes it clear that the temporary removal of the malware is insufficient. Rebooting “will not reverse additional actions taken by the threat actor and will not remedy the initial vulnerability exploited to gain access.” The only way to permanently secure the devices and prevent reinfection is to apply the necessary patches for CVE-2023-20198 immediately. The ASD's warning underscores the critical importance of timely patch management to avoid becoming a repeat victim of this persistent threat.

Read more