CybersecurityVulnerabilities

SleepyDuck Malware and BADCANDY Attacks Target Developers and Cisco Devices

7 months agoUS
SleepyDuck Malware and BADCANDY Attacks Target Developers and Cisco DevicesSource: thehackernews.com
Cybersecurity researchers have uncovered two significant threats: the SleepyDuck malware targeting Solidity developers via a malicious VS Code extension, and ongoing BADCANDY attacks exploiting a critical vulnerability in Cisco IOS XE devices. These incidents highlight the increasing sophistication and diverse attack vectors employed by cybercriminals.

Key Insights

SleepyDuck Malware:: Disguised as a benign Solidity extension in the Open VSX registry, SleepyDuck uses Ethereum contracts to maintain its command server, ensuring persistence even if the primary server is taken down. Why this matters: This technique allows malware to evade traditional takedown methods, posing a long-term threat to developers.

BADCANDY Attacks:: The Australian Signals Directorate (ASD) warns of ongoing attacks exploiting CVE-2023-20198 in Cisco IOS XE devices, using the BADCANDY implant. Why this matters: Unpatched Cisco devices are vulnerable to remote takeover, potentially leading to significant network breaches and data compromise.

In-Depth Analysis

SleepyDuck Malware

The SleepyDuck malware is distributed through a rogue VS Code extension named "juan-bianco.solidity-vlang" on the Open VSX registry. The extension was initially benign but was updated with malicious capabilities after gaining traction. It uses an Ethereum smart contract to update its command-and-control (C2) server address, ensuring redundancy and persistence.

When activated, the malware collects system information and sets up a command execution sandbox. It communicates with a remote server to receive commands, posing a significant risk to developers working with Solidity.

BADCANDY Attacks

The BADCANDY attacks exploit CVE-2023-20198, a critical vulnerability in Cisco IOS XE devices. The vulnerability allows attackers to create an account with elevated privileges and seize control of the system. The ASD has detected ongoing attacks since October 2023, with a surge in compromised devices in Australia.

BADCANDY is a Lua-based web shell that lacks a persistence mechanism, meaning it does not survive system reboots. However, attackers are able to detect when the implant is removed and reinfect the devices if they remain unpatched.

FAQs

How can I protect myself from SleepyDuck malware?

A:: Exercise caution when downloading VS Code extensions, only trust reputable publishers, and verify the extension's authenticity. Keep your development environment updated with the latest security patches.

What should I do if my Cisco IOS XE device is vulnerable to BADCANDY?

A:: Apply the latest patches provided by Cisco, limit public exposure of the web user interface, and follow Cisco's hardening guidelines. Review your system for unexpected accounts or configurations.

Key Takeaways

Developers should be vigilant about the VS Code extensions they install and verify their authenticity.

System administrators must promptly patch Cisco IOS XE devices to mitigate the risk of BADCANDY attacks.

Both threats highlight the importance of robust cybersecurity practices, including continuous monitoring and proactive threat detection.

Discussion

Do you think these types of attacks will become more common? Share your thoughts in the comments below!

Share this article with others who need to stay ahead of this trend!

View Original Source

⚠ Disclaimer: Yanuki provides article summaries and links for reference only. Yanuki does not endorse, verify, or guarantee the accuracy of third-party sources. Please review original sources and verify information independently. Managed by the Yanuki Data Engine. Full Disclaimer