ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

BadCandy Web Shell Activity

Risk Factors

The Cisco vulnerabilities CVE-2023-10198 and CVE-2023-20273 are well known and have been exploited by attackers to install the BadCandy web shell. An attacker then can run arbitrary commands and launch attacks on additional internal networks from the web shell.

Kill Chain

Command-and-Control

Risk Score

87

Detection diagram
Next in Command-and-Control: Brute Ratel C&C HTTP Connection

Attack Background

An attacker can install the BadCandy web shell implant by exploiting two well-known vulnerabilities (CVE-2023-20198 and CVE-2023-20273) in the web UI of Cisco IOS XE. After installing the BadCandy implant, an attacker can communicate with the implant by sending an HTTP request that has both a specific path and a query. The query can consist of different commands, depending on the objective of the attacker.

Mitigation Options

Install relevant patches to affected Cisco IOS XE versions

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right