A new malware campaign named PolarEdge has been discovered targeting edge devices from companies like Cisco, ASUS, QNAP, and Synology. The campaign exploits the critical CVE-2023-20118 vulnerability, a flaw in Cisco routers, allowing attackers to execute arbitrary commands on affected devices. The vulnerability remains unpatched due to the devices’ end-of-life status. Cisco had recommended mitigating the flaw by disabling remote management and blocking specific ports, but the malware continues to exploit unpatched devices. Once the flaw is successfully exploited, attackers use a previously unknown implant, a TLS backdoor, to take control of the infected device.
The backdoor, delivered through a shell script named “q” via FTP, enables attackers to perform various malicious actions.
These include cleaning up log files, terminating suspicious processes, and downloading a malicious payload. The backdoor establishes persistence by modifying system files to repeatedly execute the “cipher_log” binary. PolarEdge malware enters an infinite loop to spawn child processes, managing incoming client connections and executing commands. This persistent backdoor connects to a command-and-control server to report successful infections and send device details like IP addresses and port pairings.
The malware campaign also targets ASUS, QNAP, and Synology devices using similar PolarEdge payloads. These devices are infected through FTP, with the payloads traced to an IP address hosted on Huawei Cloud. This botnet has compromised 2,017 unique IP addresses worldwide, with infections reported across multiple countries, including the US, Russia, Taiwan, and Brazil. While the exact purpose of the botnet remains unclear, researchers speculate that it could be used to control compromised devices for launching larger-scale cyberattacks, such as distributed denial-of-service (DDoS) attacks.
The complexity of PolarEdge and its ability to exploit various vulnerabilities across different systems demonstrates the sophistication of the operation. The malware’s deployment and persistence mechanisms highlight the advanced skills of the attackers behind it, suggesting a well-organized cybercrime group. The PolarEdge botnet’s widespread infections underscore the significant risks faced by edge devices, especially those that are no longer receiving security updates. As such, the operation serves as a warning of the increasing threats targeting vulnerable devices globally.
