A new malware campaign is hijacking edge devices from Cisco, ASUS, QNAP, and Synology, integrating them into the expanding PolarEdge botnet. By exploiting unpatched vulnerabilities, including CVE-2023-20118, attackers transform outdated routers into remote-controlled cyber assets. This large-scale infiltration highlights the growing threat to network infrastructure, particularly targeting end-of-life and unmanaged devices.
The increasing reliance on networked devices, from small business routers to large-scale enterprise storage solutions, has made edge devices an attractive target for cybercriminals. Many of these devices operate with limited security oversight, often lacking regular patching or robust monitoring, creating an ideal entry point for attackers seeking to compromise broader network environments. The PolarEdge botnet exemplifies how sophisticated threat actors exploit these weaknesses, turning unpatched vulnerabilities into long-term control mechanisms for malicious campaigns.
Devices about to be turned into ice
PolarEdge primarily infects Cisco Small Business routers, which remain vulnerable due to discontinued security updates. These routers, widely used by small businesses and remote offices, provide attackers with access to network environments that often lack advanced threat detection. The botnet has also extended its reach to ASUS, QNAP, and Synology devices, broadening its impact across different hardware manufacturers. Reports indicate infections in Taiwan, the United States, Russia, India, Brazil, Australia, and Argentina, suggesting that the botnet’s reach is both widespread and strategically distributed.
The choice of these target devices is deliberate. Routers and network storage devices are integral to modern network infrastructures, acting as communication hubs that facilitate data flow between users and cloud services. By compromising these devices, attackers gain persistent access to critical infrastructure, allowing them to exfiltrate sensitive data, inject malicious payloads, and launch further attacks. Additionally, these infected devices can serve as proxy nodes for larger cyber operations, masking the origin of subsequent malicious activities.
Chilly backdoor
The attack begins with the exploitation of a known vulnerability, enabling the botnet to install a malicious shell script called q, which retrieves and executes additional payloads. The malware follows a structured process designed to evade detection and ensure long-term persistence. It erases system logs to remove forensic traces, terminates security monitoring processes that could detect unauthorized activity, and installs a persistent backdoor through the execution of the cipher_log binary. This backdoor ensures that even if the device is rebooted, the malware remains operational.
One of the defining characteristics of the PolarEdge botnet is its use of encrypted communications for command and control. By establishing a secure TLS session with command-and-control servers, the malware maintains seamless and covert communication with attackers. This strategy makes detection significantly more difficult, as network traffic associated with the malware blends in with legitimate encrypted traffic. Security researchers have traced the botnet’s distribution to Huawei Cloud, raising concerns about its potential origins and the scale of the infrastructure supporting it.
The impact of such a persistent and stealthy infection is significant. Compromised devices can be used for various malicious purposes, including launching distributed denial-of-service (DDoS) attacks, stealing sensitive credentials, or serving as relay points for more extensive cyber-espionage campaigns. Given its ability to target multiple vendors simultaneously, PolarEdge represents an evolution in cross-platform cyber threats, demonstrating the increasing sophistication of botnet operators.
Melting the ice
To mitigate the risks posed by PolarEdge, organizations must take proactive security measures:
- Replacing outdated and vulnerable Cisco routers is essential, as these devices no longer receive security updates and remain highly susceptible to exploitation.
- Disabling remote management features and blocking high-risk ports, such as 443 and 60443, reduces the likelihood of unauthorized access.
- Continuous network monitoring, particularly for unusual TLS connections and anomalous activity in network logs, can help detect and disrupt infections before they escalate.
- Applying firmware updates to ASUS, QNAP, and Synology devices is necessary to patch known vulnerabilities and prevent future compromises.
- Implementing network segmentation ensures that even if an edge device is compromised, lateral movement within the network is restricted, limiting the potential damage caused by an infection.
As botnets like PolarEdge continue to evolve, security professionals must adopt a more comprehensive approach to protecting network infrastructure. The increasing targeting of edge devices highlights the need for a shift in cybersecurity strategy, prioritizing the security of network equipment alongside traditional endpoint protection. Organizations that fail to address these risks will continue to face growing threats as cybercriminals refine their techniques and seek new opportunities for exploitation.
With its ability to exploit multiple platforms, maintain persistence, and evade detection, PolarEdge represents a growing threat to enterprise networks worldwide. As cybercriminals adapt their tactics, organizations must remain vigilant by securing vulnerable infrastructure, monitoring for unusual activity, and implementing robust defensive strategies to prevent their devices from being hijacked into the next wave of cyberattacks.
Comments