A clandestine malware initiative has been unearthed, preying on edge networking hardware from Cisco, ASUS, QNAP, and Synology. This insidious operation, dubbed PolarEdge, has been active since late 2023, commandeering vulnerable systems into its expanding botnet.
French cybersecurity firm Sekoia has identified this campaign, tracing its exploitation of CVE-2023-20118 (CVSS score: 6.5). This critical vulnerability plagues an array of Cisco Small Business Routers, specifically models RV016, RV042, RV042G, RV082, RV320, and RV325. The flaw permits arbitrary command execution, granting attackers deep control over affected hardware.
However, due to these devices reaching their end-of-life (EoL) status, Cisco has abstained from releasing a patch. As a workaround, security professionals were advised in early 2023 to mitigate risk by deactivating remote management and obstructing access to ports 443 and 60443.
Deployment of a Stealthy TLS Backdoor
Sekoia’s honeypot observations revealed that this vulnerability has been weaponized to implant an undocumented TLS backdoor. This backdoor enables listening for incoming connections while executing malicious commands on compromised hosts.
The breach mechanism leverages a shell script, designated as “q”, which is retrieved via FTP post-exploitation. Once deployed, this script:
- Eradicates log files to erase forensic traces.
- Terminates processes that could interfere with the attack.
- Downloads a payload named “t.tar” from 119.8.186[.]227.
- Executes “cipher_log”, a malicious binary extracted from the archive.
- Modifies system files to ensure persistent execution of “cipher_log”.
- Runs the TLS backdoor, initiating command execution through an infinite loop.
Once embedded, PolarEdge sustains a perpetual connection, periodically invoking child processes to facilitate remote command execution. According to Sekoia researchers Jeremy Scion and Felix Aimé, the malware communicates with its command-and-control (C2) infrastructure, reporting successful infections by transmitting the compromised device’s IP address and port details.
Widespread Infections Across Global Infrastructure
Further scrutiny has disclosed analogous payloads infiltrating ASUS, QNAP, and Synology systems. Artifacts of these intrusions have surfaced on VirusTotal, predominantly uploaded by users in Taiwan. The infections propagate through FTP transfers, with IP 119.8.186[.]227 (linked to Huawei Cloud) serving as a central distribution hub.
To date, the PolarEdge botnet has infected 2,017 unique IP addresses worldwide, with substantial infection clusters detected in:
- United States
- Taiwan
- Russia
- India
- Brazil
- Australia
- Argentina
While its definitive objectives remain opaque, researchers hypothesize that PolarEdge serves as an Operational Relay Box, harnessing compromised edge devices to launch cyber-offensive maneuvers. The multi-faceted exploitation of vulnerabilities across disparate platforms underscores the technical prowess of its operators, suggesting a highly sophisticated adversarial entity.
A Broader Surge in Botnet-Orchestrated Cyber Offensives
The emergence of PolarEdge coincides with an alarming disclosure from SecurityScorecard, detailing a colossal botnet comprising 130,000+ infected devices. This expansive network is weaponized for large-scale password-spraying campaigns, targeting Microsoft 365 (M365) accounts.
Malefactors exploit non-interactive sign-ins—a technique typically reserved for service-to-service authentication in legacy protocols (e.g., POP, IMAP, SMTP). These methods bypass Multi-Factor Authentication (MFA) in numerous configurations, exposing enterprises to credential stuffing attacks.
A particular Chinese-affiliated adversary is suspected to be orchestrating this assault, as evidenced by infrastructural links to CDS Global Cloud and UCLOUD HK. Their modus operandi hinges on pilfered credentials harvested from infostealer malware logs, granting unauthorized access to M365 environments.
SecurityScorecard warns that this tactic circumvents modern authentication protections, evading detection due to its reliance on non-interactive sign-in logs—which many security teams inadvertently overlook. This vulnerability has permitted adversaries to execute high-volume password-spraying attempts, breaching organizations worldwide.
In sum, the proliferation of botnet-facilitated cyber intrusions signifies an escalating threat landscape, mandating robust defensive countermeasures and proactive security postures to mitigate emerging risks.
