The PolarEdge malware campaign has been actively compromising edge devices from Cisco, ASUS, QNAP, and Synology since late 2023, transforming them into components of a botnet. Discovered by Sekoia, this attack exploits CVE-2023-20118, a vulnerability in Cisco Small Business RV routers, enabling threat actors to execute arbitrary commands on devices that no longer receive security updates due to their End-of-Life (EoL) status.
Cisco has advised disabling remote management and blocking access to ports 443 and 60443; however, numerous devices remain exposed. During observed attacks, Sekoia found that hackers leveraged the vulnerability to deploy a new TLS-based backdoor, capable of receiving inbound connections and executing remote commands.
The malware is delivered via a script named “q”, fetched over FTP, after which it systematically cleans system logs, terminates suspicious processes, and downloads an archive (“t.tar”) from the attacker’s server. The extracted binary, “cipher_log”, is then embedded into the system and configured for automatic startup.
PolarEdge operates through a classic botnet framework: once infected, a device establishes a TLS session, spawns a child process to handle client requests, and executes received commands. Meanwhile, infection details (including IP address and port) are transmitted to a C2 server, allowing attackers to track and manage compromised nodes.
Beyond Cisco routers, the malware targets ASUS, QNAP, and Synology devices. Artifacts uploaded to VirusTotal suggest that Taiwan hosts the highest number of infected devices. Additionally, the malware is distributed via a Huawei Cloud server (IP 119.8.186[.]227), indicating a well-organized operation.
Experts estimate that the botnet has already compromised over 2,000 devices worldwide, with the highest infection rates observed in the United States, Taiwan, Russia, India, Brazil, Australia, and Argentina. While the attackers’ precise objectives remain unclear, analysis suggests the botnet may be used for proxying malicious traffic or launching large-scale DDoS attacks.
Previously, SecurityScorecard identified another massive botnet network, comprising over 130,000 compromised devices, leveraged for Microsoft 365 account attacks. Threat actors are employing Password Spraying attacks, exploiting legacy authentication methods and non-interactive login mechanisms, which often circumvent multi-factor authentication (MFA).
Hackers utilize stolen credentials from infostealer logs before launching widespread attacks on cloud services, attempting to gain unauthorized access to sensitive corporate data. Security experts warn that this tactic remains highly effective, as most organizations fail to monitor non-interactive login logs, allowing intrusions to occur undetected.
The proliferation of sophisticated botnets and the increasing complexity of cyberattacks highlight the evolving capabilities of threat actors. The PolarEdge botnet and its associated threats underscore the critical need for proactive cybersecurity measures, including regular firmware updates, vigilant monitoring of anomalous network traffic, and the deactivation of vulnerable services to mitigate risks.
