Talos Incidents Response reports active exploitation of Cisco IOS XE Web UI vulnerabilities CVE-2023-20198 and CVE-2023-20273, delivering a Lua-based implant named BadCandy to compromised devices. The operation includes unauthorized local user creation, privilege escalation to root, and defense-evasion steps, with Cisco PSIRT advisories urging immediate remediation. #BadCandy #CVE-2023-20198 #CVE-2023-20273 #CiscoIOSXE
Keypoints
- Exploitation targets Cisco IOS XE Web UI vulnerabilities exposed to the internet or untrusted networks (CVE-2023-20198).
- Privileged access is gained (privilege level 15) and then a second vulnerability (CVE-2023-20273) enables command execution on the device.
- The BadCandy implant is Lua-based and delivered via an HTTP POST to the device, enabling arbitrary command execution.
- threat actors created local admin accounts (e.g., cisco_tac_admin, cisco_support) and performed reconnaissance while clearing traces.
- Variants of BadCandy added HTTP header checks (Authorization, then X-Csrf-Token) to evade detection and broaden access conditions.
- Cisco’s PSIRT advisory recommends disabling the HTTP/S server on internet-facing systems and provides guidance for detection and remediation.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – ‘Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.’
- [T1068] Privilege Escalation – ‘The attacker can gain privilege level 15 access to the device, which the attacker can then use to create a local user and log in with normal user access.’
- [T1136] Create Account – ‘The new local user accounts have level 15 privileges, meaning they have full administrator access to the device.’
- [T1059] Command and Scripting Interpreter – ‘the attacker can exploit a second previously unknown vulnerability … to run arbitrary commands with elevated (root) privileges, giving them the ability to run arbitrary commands on the device.’
- [T1070] Indicator Removal on Host – ‘clearing logs and removing users, likely to hide evidence of their activity’.
- [T1082] System Information Discovery – ‘information about the device and conducting preliminary reconnaissance using commands listed in the Appendix.’
Indicators of Compromise
- [IP Address] context – 5.149.249.74, 154.53.56.231
- [File path] context – /usr/binos/conf/nginx-conf/cisco_service.conf
- [Username] context – cisco_tac_admin, cisco_support
- [URL/URI] context – /webui/logoutconfirm.html?logon_hash=1, /%25
- [HTTP header] context – Authorization header value 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb
- [HTTP header] context – X-Csrf-Token header presence as part of variant 3 checks
Read more: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/