A newly uncovered malware campaign has been identified, targeting edge devices from notable manufacturers including Cisco, ASUS, QNAP, and Synology. This campaign, named PolarEdge, has been active since at least late 2023, as reported by French cybersecurity firm Sekoia. The attackers are deploying a backdoor that exploits a critical vulnerability in specific Cisco router models, identified as CVE-2023-20118, which has a Common Vulnerability Scoring System (CVSS) score of 6.5. The flaw allows for arbitrary command execution on vulnerable devices.
Currently, a patch for this vulnerability remains unavailable since the affected routers have reached their end-of-life (EoL) status. In early 2023, Cisco recommended mitigative steps, including disabling remote management and blocking access to certain ports, as workarounds.
Sekoia’s honeypots indicate that the vulnerability has been leveraged to install a previously undocumented implant—a TLS backdoor capable of listening for incoming client connections and executing commands. The backdoor is activated via a shell script named “q,” which is downloaded through FTP after successfully exploiting the vulnerability. This script offers extensive capabilities, including the ability to erase log files, terminate suspicious processes, and download and execute malicious payloads, ultimately establishing persistence within the system by modifying critical files.
The PolarEdge malware operates by creating an infinite loop that initiates a TLS session, managing client requests and executing commands using a function called exec_command. According to Sekoia researchers, once the binary is executed, the malware informs a command-and-control (C2) server about the successful infection of a new device. This intelligence allows the attackers to track infected devices through their IP addresses and associated ports.
Further investigations have revealed that PolarEdge payloads have been observed targeting devices from ASUS, QNAP, and Synology, with distribution occurring via FTP from the IP address 119.8.186.227, associated with Huawei Cloud. Over 2,000 unique IP addresses across the globe, primarily in the United States, Taiwan, and several other countries, have been compromised by the botnet, showcasing a significant geographical spread.
The ultimate objective of this botnet remains unclear, although researchers suggest it could enable attackers to control compromised edge devices, potentially turning them into tools for executing further cyberattacks. The operation signifies not only the effectiveness of the malware but also its strategic complexity, underscoring the skill level of the threat actors involved.
The findings coincide with an alarming report from SecurityScorecard detailing a massive botnet comprising over 130,000 infected devices used for extensive password-spraying attacks against Microsoft 365 accounts by exploiting non-interactive sign-ins with Basic Authentication. Such tactics are particularly concerning, as they evade multi-factor authentication (MFA), effectively creating loopholes for unauthorized access.
Overall, the targeting of edge devices through the PolarEdge botnet illustrates an advanced level of sophistication and strategic planning in contemporary cyber threats. This incident serves as a critical reminder that organizations must remain vigilant and proactive in their cybersecurity measures to protect sensitive infrastructures from evolving threats.
