Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet

News
By
published

Sophisticated, advanced threat found lurking in the depths of the internet

Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
(Image credit: Shutterstock)
  • Sekoia spots hackers abusing a known flaw in Cisco devices
  • This leads to the discovery of a botnet called PolarEdge
  • Most victims are found in the US, but the botnet is "most prevalent" in Asia and South America

A previously-undocumented botnet has been expanding around the world for more than a year, targeting a range of Cisco, ASUS, QNAP, and Synology devices, experts have warned.

Cybersecurity researchers Sekoia observed the attacks on their honeypot, and used the information to detail the campaign, its infrastructure, and targets.

In its report, Sekoia said that as of late 2023, it spotted an unnamed threat actor targeting devices vulnerable to CVE-2023-20118 - an improper user input validation bug affecting different Cisco Small Business Routers. The flaw allowed them to execute arbitrary commands on the affected devices, pulling a malicious payload from a Huawei Cloud server located in Singapore. Digging deeper, Sekoia found traces of the campaign targeting devices from other manufacturers, as well. They named the botnet PolarEdge, and confirmed that at least 2,000 endpoints around the world were infected.

Endgame unknown

The botnet’s goal is unknown at this time, the researchers said.

“The purpose of this botnet has not yet been determined. Cross-checking the IP addresses with our telemetry has not revealed any specific activity,” the report reads.

Usually, cybercriminals would develop a network of infected devices to either run Distributed Denial of Service (DDoS) attacks, set up a residential proxy, run spam and phishing campaigns, spread malware, or engage in click fraud.

The majority of the victims are found in the US, but Sekoia says the botnet appears to be “particularly prevalent” in Asia and South America, although it cannot be certain if this was a deliberate move by the attackers, or just coincidence.

Despite infecting a relatively small amount of devices, Sekoia still deemed PolarEdge a dangerous threat.

“The botnet exploits multiple vulnerabilities across different types of equipment, highlighting its ability to target various systems,” the report concludes.

“The complexity of the payloads further underscores the sophistication of the operation, suggesting that it is being conducted by skilled operators. This indicates that PolarEdge is a well-coordinated and substantial cyber threat.”

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security

Thousands of misconfigured building access systems have been leaked online
Stalkerware

New spyware found to be snooping on thousands of Android and iOS users
Person using a screwdriver to install a part in a PC case

Built vs Bought: why prebuilt systems are always superior to custom gaming PCs
See more latest