A recently discovered malware campaign has been targeting edge devices from reputable manufacturers such as Cisco, ASUS, QNAP, and Synology, aiming to recruit them into a botnet known as PolarEdge, with the earliest signs of activity dating back to late 2023.
According to French cybersecurity firm Sekoia, the company’s research revealed that unknown threat actors are exploiting CVE-2023-20118 (CVSS score: 6.5), a critical security vulnerability affecting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers, potentially leading to arbitrary command execution on affected devices.
Since these routers have reached their end-of-life status, the vulnerability remains unpatched. To mitigate the issue, Cisco recommended disabling remote management and blocking access to ports 443 and 60443 in early 2023.
The attack detected by Sekoia’s honeypots involved the exploitation of this vulnerability to deliver a previously undocumented implant, a TLS backdoor capable of listening for incoming client connections and executing commands.
The backdoor is initiated via a shell script named “q,” which is retrieved through FTP and executed following the successful exploitation of the vulnerability. Its capabilities include:
- Deleting log files
- Terminating suspicious processes
- Downloading a malicious payload called “t.tar” from the IP address 119.8.186[.]227
- Executing a binary named “cipher_log” extracted from the archive
- Establishing persistence by modifying a file named “/etc/flash/etc/cipher.sh” to run the “cipher_log” binary repeatedly
- Executing “cipher_log,” the TLS backdoor
Codenamed PolarEdge, the malware enters an infinite loop, establishing a TLS session and spawning a child process to manage client requests and execute commands using exec_command.
“The binary informs the C2 server that it has successfully infected a new device,” Sekoia researchers Jeremy Scion and Felix Aimé explained. “The malware transmits this information to the reporting server, enabling the attacker to determine which device was infected through the IP address/port pairing.”
Further analysis revealed similar PolarEdge payloads targeting ASUS, QNAP, and Synology devices, with all artifacts uploaded to VirusTotal by users in Taiwan. The payloads are distributed via FTP using the IP address 119.8.186[.]227, which belongs to Huawei Cloud.
In total, the botnet is estimated to have compromised 2,017 unique IP addresses worldwide, with the majority of infections detected in the United States, Taiwan, Russia, India, Brazil, Australia, and Argentina.
“The purpose of this botnet has not yet been determined,” the researchers noted. “One possible objective of PolarEdge could be to control compromised edge devices, transforming them into Operational Relay Boxes for launching offensive cyber attacks.”
“The botnet exploits multiple vulnerabilities across different types of equipment, highlighting its ability to target various systems. The complexity of the payloads further underscores the sophistication of the operation, suggesting that it is being conducted by skilled operators. This indicates that PolarEdge is a well-coordinated and substantial cyber threat.”
This disclosure comes as SecurityScorecard revealed that a massive botnet comprising over 130,000 infected devices is being used to conduct large-scale password-spraying attacks against Microsoft 365 (M365) accounts by exploiting non-interactive sign-ins with Basic Authentication.
Non-interactive sign-ins are typically used for service-to-service authentication and legacy protocols like POP, IMAP, and SMTP. They do not trigger multi-factor authentication (MFA) in many configurations. Basic Authentication, on the other hand, allows credentials to be transmitted in plaintext format.
The activity, likely attributed to a Chinese-affiliated group due to the use of infrastructure tied to CDS Global Cloud and UCLOUD HK, employs stolen credentials from infostealer logs across a wide range of M365 accounts to gain unauthorized access and obtain sensitive data.
“This technique bypasses modern login protections and evades MFA enforcement, creating a critical blind spot for security teams,” the company said. “Attackers leverage stolen credentials from infostealer logs to systematically target accounts at scale.”
“These attacks are recorded in non-interactive sign-in logs, which are often overlooked by security teams. Attackers exploit this gap to conduct high-volume password spraying attempts undetected. This tactic has been observed across multiple M365 tenants globally, indicating a widespread and ongoing threat.”
