Advisory ID: NCC-CSIRT-2025-024

Summary: 

Cisco has warned of a new attack variant exploiting two zero-day flaws, CVE-2025-20333 and CVE-2025-20362, in ASA and FTD VPN/Web interfaces, enabling unauthenticated RCE (Remote Code Execution), unauthorized access, and persistent DoS attacks through continuous device reloads. The campaign, active since May 2025, leverages advanced malware like RayInitiator and LINE VIPER to achieve persistence and evade detection. CISA and allied CERTs have classified the vulnerabilities as actively exploited, urging organizations to apply patches immediately, perform forensic checks (core-dumps), and restrict or rebuild compromised systems.

Damage/Probability: Critical/High

CVE(s): CVE-2025-20333 and CVE-2025-20362

Product(s): 

• Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
• Cisco Secure Firewall Threat Defense (FTD) Software
• Affected management interfaces: VPN/WebVPN (HTTP/HTTPS) services and related web UI components

Version(s): 

Releases of ASA and FTD containing the VPN/Web server components affected by CVE-2025-20333 and CVE-2025-20362 before Cisco’s published fixes. (Confirm exact build numbers via Cisco Security Advisory.)

Platform(s): 

• Enterprise and service-provider perimeter/firewall appliances (on-premises ASA hardware
• ASAv virtual appliance
• Firepower/FTD deployments, especially devices exposing VPN web interfaces to the internet

Description: 

Two related vulnerabilities disclosed in late September 2025, CVE-2025-20333 (a critical buffer-overflow/RCE in the VPN/Web server) and CVE-2025-20362 (an authorization bypass exposing restricted endpoints), have been weaponized in active campaigns. Attackers have chained these issues to execute arbitrary code as root on vulnerable ASA/FTD devices, create backdoor accounts, disable or adulterate logging, and, in the newest variant, intentionally trigger firmware reloads, producing persistent DoS conditions. Reports indicate the campaign is an evolution of the ArcaneDoor/Storm-1849 activity observed in 2024 and has delivered multiple malware strains (including RayInitiator and LINE VIPER) to affected devices.

Investigations show large numbers of internet-connected ASA/FTD devices remained unpatched as of late September 2025, providing a wide attack surface. In several cases, devices showed signs of tampering that complicate removal (e.g., persistence mechanisms beyond simple file remnants). Authorities recommend treating any evidence of compromise as serious and following forensic guidance (core dumps and coordinated analysis).

Impacts: 

• Full administrative compromise
• Persistent backdoors (firmware tampering)
• Network outages via forced reboot loops
• Lateral movement into protected networks.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Apply Cisco patches for CVE-2025-20333 and CVE-2025-20362 on all ASA/ASAv/FTD devices.
• Follow CISA ED-25-03 and rebuild any compromised or tampered devices.
• Disable unused WebVPN/admin interfaces and restrict management access.
• Rotate admin credentials, review logs, and monitor for new privileged accounts.
• Hunt for anomalies like reload loops, cleared logs, or unknown connections.
• Strengthen logging, SIEM monitoring, and alerts for unusual activities.
• Replace unsupported or legacy ASA devices lacking Secure Boot protections.
• Restrict or disable internet-facing VPN interfaces and monitor for attacks.
• Perform forensic checks for implants and coordinate with CERT or Cisco IR.

References:

• https:/hell/#google_vignette

• https://www.theregister.com/2025/11/06/cisco_firewall_ongoing_attacks/

• https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

• https://www.theregister.com/2025/11/06/cisco_firewall_ongoing_attacks/

• https://www.cybersecuritydive.com/news/cisco-firewall-attack-variant-arcanedoor/805116/

• https://www.bleepingcomputer.com/news/security/cisco-actively-exploited-firewall-flaws-now-abused-for-dos-attacks/

Advisory ID: NCC-CSIRT-2025-023

Summary: 

The Australian Signals Directorate (ASD) has issued an alert on BADCANDY, a malicious implant actively exploiting a critical Cisco IOS XE vulnerability (CVE-2023-20198, CVSS 10.0). The exploit allows remote attackers to gain full administrative control of Cisco routers and switches without authentication. Once compromised, attackers deploy a Lua-based backdoor (BADCANDY) to execute commands, hide traces, and maintain control of affected systems.

Over 400 devices have been compromised globally since July 2025, with active infections reported across telecommunications and internet service networks. The persistence and global spread of this campaign raise concerns that similar attacks could target telecommunication infrastructure in West Africa, including Nigeria, due to the widespread deployment of Cisco IOS XE devices in the region.

Damage/Probability: Critical/High

Product(s): 

• Cisco IOS XE Software (web user interface / HTTP/HTTPS server features)
• Cisco routers and switches running IOS XE with the exposed Web UI feature
• Network edge infrastructure used by Telecom Operators, ISPs, and Government Agencies

Version(s): 

All versions of Cisco IOS XE Software before the official patch for CVE-2023-20198.

Platform(s): 

Edge routers and switches in enterprise, government, and service-provider networks, particularly those with Internet-exposed Web UI features.

Description: 

Attackers exploit the Cisco IOS XE Web UI feature to create a privileged (level 15) account, granting full administrative rights. They then deploy the BADCANDY implant, a Lua-based web shell that executes arbitrary commands and hides malicious configuration changes.

The implant may be removed upon reboot, but attackers can regain access through previously created accounts or re-exploitation of the same vulnerability. Repeated compromises have been observed globally, confirming active and automated scanning for unpatched devices.

Technical indicators include:

• Presence of unknown or unauthorized level 15 privileged accounts (e.g., cisco_tac_admin, cisco_support, or random names).
• Unfamiliar tunnel interfaces or modified routing configurations.
• Unexpected HTTP/HTTPS access to IOS XE management ports from the Internet.
• Logs showing configuration changes outside maintenance windows.

Impacts: 

• Full takeover of routers and switches, allowing interception of traffic, rerouting, and installation of additional malware.
• Data exfiltration and espionage on telecom backbones and enterprise networks.
• Reinfection risk, as ASD confirmed that unpatched devices may be compromised repeatedly even after malware removal.
• Service disruption or manipulation of routing tables, posing significant operational and regulatory risks for telecom operators and ISPs.
• Potential spillover to national networks, as similar tactics could be used against Government communication backbones or critical national infrastructure.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Conduct an immediate security audit of all Cisco IOS XE routers, particularly those with public IP interfaces.
• Immediate patching: Apply Cisco’s official patch for CVE-2023-20198 on all affected IOS XE devices.
• Reboot and harden: Reboot patched devices to clear the implant, then disable the Web UI (IP http server / IP http secure server) unless strictly necessary.
• Account and configuration audit:
• Review all admin-level accounts.
• Remove unknown or unauthorized users.
• Inspect tunnel and interface configurations.
• Restrict access:
• Block HTTP/HTTPS management ports (TCP/80 and 443) from public access.
• Limit administrative access to internal management networks or VPN.
• Implement continuous monitoring:
• Enable AAA logging for configuration changes.
• Use SIEM tools to detect new accounts or altered configurations.
• Apply Cisco hardening guidelines for IOS XE devices used in telecom and enterprise environments.
• Network segmentation: Isolate management interfaces from operational traffic.

References:

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-webui-HfwnRgk

• https://www.bleepingcomputer.com/news/security/australia-warns-of-badcandy-infections-on-unpatched-cisco-devices/

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy

•  

  https://thehackernews.com/2025/11/asd-warns-of-ongoing-badcandy-attacks.html

• https://securityaffairs.com/184095/hacking/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government.html

•  

  https://cybersecuritynews.com/cisco-ios-xe-badcandy-web-shell/#google_vignette

•  

  https://cyberpress.org/badcandy-web-shell/

•  

  https://research.splunk.com/web/07c36cda-6567-43c3-bc1a-89dff61e2cd9/

• https://itsecuritynewsbox.com/index.php/2025/11/01/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government/

Advisory ID: NCC-CSIRT-2025-022

Summary: 

Security researchers report that the Aisuru botnet, a powerful Mirai/TurboMirai-class IoT botnet behind multiple record-scale DDoS attacks in 2025, has been retooled from covert DDoS operations into a profitable residential-proxy service model. Instead of solely launching volumetric attacks, Aisuru operators are now renting access to hundreds of thousands of compromised IoT devices as residential proxies, enabling customers (criminal and legitimate alike) to anonymize and route traffic through infected home devices. This pivot enhances the botnet’s longevity and profitability while making malicious traffic more difficult to attribute and block.

Damage/Probability: Critical/High

Product(s): 

• Consumer and small-office/home (SOHO) routers and gateways
• Internet of Things (IoT) devices (IP cameras, DVRs, home gateways, routers)
• Residential broadband CPE and unmanaged devices

Version(s): 

Not version-specific, affects a wide range of unpatched/poorly secured IoT firmware and consumer router firmware versions.

Platform(s): 

• Home and small-office networks
• ISP access networks
• Proxy resale marketplaces that can consume residential proxy capacity.

Description: 

Aisuru is a Mirai-family/TurboMirai-class botnet that has previously been observed launching record-breaking DDoS attacks by enlisting large numbers of insecure IoT devices. Recent telemetry and reporting indicate the operator(s) have added modules and management infrastructure to enable proxy services on infected devices. Compromised devices are exposed as SOCKS/HTTP proxies or otherwise configured to relay arbitrary traffic for paying customers. The botnet retains high-volume DDoS capabilities but now offers a lower-visibility revenue stream, residential proxy rentals, which is attractive to a broad range of cybercriminal activities, including credential stuffing, ad fraud, web scraping, and evading geofencing or content takedowns.

Technical indicators observed across vendor telemetry include unusual outbound connections on proxy ports to customer controllers, persistent processes or scripts on consumer CPE performing proxying, rotation of proxy endpoints to avoid IP blocks, and reuse of known Mirai-style infection vectors (default/weak credentials, exposed administrative interfaces). Netscout/ASERT and other industry teams reported significant outbound DDoS traffic originating from end-customer devices earlier in 2025 and have documented the observable shift in operator behaviour toward proxy monetization.

Impacts: 

• Large, persistent pools of geographically diverse residential IPs for criminals to anonymize and scale malicious campaigns (fraud, credential stuffing, ad-fraud, scraping).
• Increased difficulty for defenders and law enforcement to attribute malicious activity because traffic originates from legitimate residential IP addresses.
• Continued capability to mount massive DDoS attacks when operators choose to, while also monetizing assets via proxy rentals.
• Operational impact on ISPs and customers: bandwidth saturation, degraded service, and reputational exposure of affected subscribers.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Monitor CPE for unusual outbound connections or proxy port activity (1080, 3128, 8080).
• Detect abnormal high-volume upstream traffic and excessive concurrent sessions.
• Use threat intelligence (e.g., Netscout ASERT, X-Lab) to identify Aisuru indicators.
• Block or throttle connections to known C2 and proxy domains.
• Push firmware updates and advise customers to secure or replace vulnerable IoT devices.
• Enforce strong authentication (MFA, rate limits) and monitor for proxy-like traffic patterns.

References:

• https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-residential-proxies/

• https://www.netscout.com/blog/asert/asert-threat-summary-aisuru-and-related-turbomirai-botnet-ddos

• https://securityaffairs.com/183969/malware/aisuru-botnet-is-behind-record-20tb-sec-ddos-attacks.html

• https://www.securityweek.com/turbomirai-class-aisuru-botnet-blamed-for-20-tbps-ddos-attacks/

• https://www.csoonline.com/article/4071594/aisurus-30-tbps-botnet-traffic-crashes-through-major-us-isps.html 

Advisory ID: NCC-CSIRT-2025-021

Summary: 

Researchers have discovered a self-propagating malware campaign called SORVEPOTEL, which spreads primarily through WhatsApp messages containing malicious ZIP attachments, and occasionally via email. Once executed, the malware can harvest sensitive data, monitor browser activity, take control of WhatsApp sessions, and automatically forward the infected ZIP file to a victim’s contacts, allowing it to spread rapidly.

The campaign has recorded hundreds of infections, with initial impact concentrated in Brazil, targeting organizations in the manufacturing, banking, education, technology, and construction sectors. Brazilian authorities warn that the malware could evolve to target sensitive government systems, raising concerns about broader regional and international implications.

Damage/Probability: Critical/High

Product(s): 

• WhatsApp (Web/Desktop sessions exploited for propagation)
• Microsoft Windows endpoints (primary infection targets)
• Email clients (alternative delivery channels)

Version(s): 

Not version-specific, affects a wide range of unpatched/poorly secured IoT firmware and consumer router firmware versions.

Platform(s): 

• Windows desktop/laptop environments
• Corporate workstations
• Devices linked to WhatsApp Web (accessed) through a web browser on Windows systems.

Description: 

The SORVEPOTEL malware is distributed through phishing messages sent from compromised WhatsApp accounts or emails that include ZIP attachments disguised as invoices, receipts, or forms. When opened, these files execute a .NET-based loader (e.g., Maverick.StageTwo), which installs the main payload (Maverick.Agent).

The malware establishes persistence through batch scripts and scheduled tasks, monitors browser activity for a list of financial websites, and communicates with command-and-control (C2) servers for further instructions. Critically, it abuses WhatsApp Web/Desktop sessions on infected systems to automatically send the malicious ZIP file to the victim’s contact list, enabling self-spreading propagation.

Although currently focused in Brazil, researchers caution that the malware’s modular structure could be easily adapted to target users in other regions, including West Africa. Its tactics of social engineering, data theft, and automated messaging are consistent with methods observed in regional financial and government-targeted cyber campaigns.

Impacts: 

• Theft of credentials and session tokens from browsers and financial platforms.
• Rapid lateral spread through trusted WhatsApp contacts.
• Compromise of sensitive data, including government and corporate information.
• Disruption of operations and potential reputational damage.

Detection & Indication of Compromise (IoCs): 

• Unexpected WhatsApp messages from known contacts containing ZIP attachments.
• Suspicious .NET executables appearing in “Downloads” or “Temp” folders.
• New batch scripts or scheduled tasks created after ZIP extraction.
• High-volume outbound WhatsApp Web traffic from a desktop device.
• Unusual connections to unrecognized domains following ZIP execution.

Solutions:  

• User Awareness: Do not open ZIP attachments from WhatsApp or email unless verified independently.
• Session Control: Immediately log out of all active WhatsApp Web/Desktop sessions after any suspicious activity.
• Endpoint Protection: Update antivirus and EDR signatures; quarantine any identified infections.
• System Hardening: Restrict execution of unsigned scripts or .NET binaries; apply OS and browser patches.
• Containment: Isolate compromised hosts and review browser and WhatsApp activity logs.
• Messaging Controls: Implement attachment filtering for email and monitor corporate WhatsApp channels.
• Include WhatsApp-based social engineering in security awareness and phishing simulations.
• Instruct SOC teams to monitor for malware families linked to the Maverick loader.
• Strengthen endpoint and network segmentation to limit lateral spread.
• Share any identified IOCs with NCC-CSIRT and relevant national CERTs for coordinated response.

References:

• https://cyberpress.org/malware-attack/

• https://ithelp.harrisburgu.edu/support/discussions/topics/44001025903

• https://kudelskisecurity.com/research/sorvepotel-self-propagating-malware-spreading-via-whatsapp

• https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html

• https://cybersecuritynews.com/threat-actors-attack-windows-systems-with-sorvepotel-malware/

• https://gbhackers.com/sorvepotel-malware/

• https://cyberpress.org/malware-attack/

• https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html

• https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html