A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since at least the end of 2023.
French cybersecurity company Sekoia said it observed the unknown threat actors leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices.
The vulnerability remains unpatched due to the routers reaching end-of-life (EoL) status. As mitigations, Cisco recommended in early 2023 that the flaw be mitigated by disabling remote management and blocking access to ports 443 and 60443.
In the attack registered against Sekoia’s honeypots, the vulnerability is said to have been used to deliver a previously undocumented implant, a TLS backdoor that incorporates the ability to listen for incoming client connections and execute commands.
The backdoor is launched by means of a shell script called “q” that’s retrieved via FTP and run following a successful exploitation of the vulnerability. It comes with capabilities to –
- Cleanup log files
- Terminate suspicious processes
- Download a malicious payload named “t.tar” from 119.8.186[.]227
- Execute a binary named “cipher_log” extracted from the archive
- Establish persistence by modifying a file named “/etc/flash/etc/cipher.sh” to run the “cipher_log” binary repeatedly
- Execute “cipher_log,” the TLS backdoor
Codenamed PolarEdge, the malware enters into an infinite loop, establishing a TLS session as well as spawning a child process to manage client requests and execute commands using exec_command.
“The binary informs the C2 server that it has successfully infected a new device,” Sekoia researchers Jeremy Scion and Felix Aimé said. “The malware transmits this information to the reporting server, enabling the attacker to determine which device was infected through the IP address/port pairing.”
Further analysis has uncovered similar PolarEdge payloads being used to target ASUS, QNAP, and Synology devices. All the artifacts were uploaded to VirusTotal by users located in Taiwan. The payloads are distributed via FTP using the IP address 119.8.186[.]227, which belongs to Huawei Cloud.
In all, the botnet is estimated to have compromised 2,017 unique IP addresses around the world, with most of the infections detected in the United States, Taiwan, Russia, India, Brazil, Australia, and Argentina.
“The purpose of this botnet has not yet been determined,” the researchers noted. “An objective of PolarEdge could be to control compromised edge devices, transforming them into Operational Relay Boxes for launching offensive cyber attacks.”
“The botnet exploits multiple vulnerabilities across different types of equipment, highlighting its ability to target various systems. The complexity of the payloads further underscores the sophistication of the operation, suggesting that it is being conducted by skilled operators. This indicates that PolarEdge is a well-coordinated and substantial cyber threat.”
The disclosure comes as SecurityScorecard revealed that a massive botnet comprising over 130,000 infected devices is being weaponized to conduct large-scale password-spraying attacks against Microsoft 365 (M365) accounts by exploiting non-interactive sign-ins with Basic Authentication.
Non-interactive sign-ins are typically used for service-to-service authentication and legacy protocols like POP, IMAP, and SMTP. They do not trigger multi-factor authentication (MFA) in many configurations. Basic Authentication, on the other hand, allows credentials to be transmitted in plaintext format.
The activity, likely the work of a Chinese-affiliated group owing to the use of infrastructure tied to CDS Global Cloud and UCLOUD HK, employs stolen credentials from infostealer logs across a wide range of M365 accounts to obtain unauthorized access and get hold of sensitive data.
“This technique bypasses modern login protections and evades MFA enforcement, creating a critical blind spot for security teams,” the company said. “Attackers leverage stolen credentials from infostealer logs to systematically target accounts at scale.”
“These attacks are recorded in non-interactive sign-in logs, which are often overlooked by security teams. Attackers exploit this gap to conduct high-volume password spraying attempts undetected. This tactic has been observed across multiple M365 tenants globally, indicating a widespread and ongoing threat.”
