- Sekoia spots hackers abusing a known flaw in Cisco devices
- This leads to the discovery of a botnet called PolarEdge
- Most victims are found in the US, but the botnet is “most prevalent” in Asia and South America
A previously-undocumented botnet has been expanding around the world for more than a year, targeting a range of Cisco, ASUS, QNAP, and Synology devices, experts have warned.
Cybersecurity researchers Sekoia observed the attacks on their honeypot, and used the information to detail the campaign, its infrastructure, and targets.
In its report, Sekoia said that as of late 2023, it spotted an unnamed threat actor targeting devices vulnerable to CVE-2023-20118 – an improper user input validation bug affecting different Cisco Small Business Routers. The flaw allowed them to execute arbitrary commands on the affected devices, pulling a malicious payload from a Huawei Cloud server located in Singapore. Digging deeper, Sekoia found traces of the campaign targeting devices from other manufacturers, as well. They named the botnet PolarEdge, and confirmed that at least 2,000 endpoints around the world were infected.
Endgame unknown
The botnet’s goal is unknown at this time, the researchers said.
“The purpose of this botnet has not yet been determined. Cross-checking the IP addresses with our telemetry has not revealed any specific activity,” the report reads.
Usually, cybercriminals would develop a network of infected devices to either run Distributed Denial of Service (DDoS) attacks, set up a residential proxy, run spam and phishing campaigns, spread malware, or engage in click fraud.
The majority of the victims are found in the US, but Sekoia says the botnet appears to be “particularly prevalent” in Asia and South America, although it cannot be certain if this was a deliberate move by the attackers, or just coincidence.
Despite infecting a relatively small amount of devices, Sekoia still deemed PolarEdge a dangerous threat.
“The botnet exploits multiple vulnerabilities across different types of equipment, highlighting its ability to target various systems,” the report concludes.
“The complexity of the payloads further underscores the sophistication of the operation, suggesting that it is being conducted by skilled operators. This indicates that PolarEdge is a well-coordinated and substantial cyber threat.”
Leave a comment