- Sekoia shows computer pirates that abuse a defect known in Cisco devices
- This leads to the discovery of a botnet called Poledge
- Most of the victims are in the United States, but the botnet is “more frequent” in Asia and South America.
A subcumed botnet has expanded worldwide for more than a year, pointing to a variety of Cisco, Asus, Qnap and Synology devices, experts have warned.
Cybersecurity researchers Sekoia observed the attacks on their Honeypot, and used the information to detail the campaign, their infrastructure and objectives.
In his report, Sekoia said that at the end of 2023, he saw an unidentified threat actor that is aimed at vulnerable devices to CVE-2023-20118, an inappropriate user entry validation error that affects different routers of small companies in Cisco. The fault allowed them to execute arbitrary commands on the affected devices, extracting a malicious payload of a Huawei cloud server located in Singapore. Cavando deeper, Sekoia also found traces of the addressing devices of the campaign of other manufacturers. They called Botnet Polaredge and confirmed that at least 2,000 final points worldwide were infected.
End of the unknown game
The objective of the botnet is unknown at this time, the researchers said.
“The purpose of this botnet has not yet been determined. The cross verification of the IP addresses with our telemetry has not revealed any specific activity, ”says the report.
In general, cybercounts would develop a network of infected devices to execute distributed denial attacks (DDOS), establish a residential proxy, execute spam and phishing campaigns, disseminate malware or participate in click fraud.
The majority of the victims are in the USA.
Despite infecting a relatively small amount of devices, Sekoia still considered Poledge a dangerous threat.
“Botnet exploits multiple vulnerabilities in different types of equipment, highlighting its ability to aim for several systems,” the report concludes.
“The complexity of useful charges further underlines the sophistication of the operation, which suggests that qualified operators carry it out. This indicates that Polaredge is a well -coordinated and substantial cyber threat. “
