A malware campaign named PolarEdge is exploiting a critical vulnerability (CVE-2023-20118) affecting Cisco's end-of-life routers to create a botnet. Discovered by French cybersecurity firm Sekoia, this campaign leverages a TLS backdoor installed via a shell script post-exploitation. The malware demonstrates various capabilities, including log file cleanup, persistent execution, and reporting back to a command-and-control server. With the routers being unpatched due to their EoL status, recommendations include disabling remote management and blocking specific ports to mitigate risks.
"The binary informs the C2 server that it has successfully infected a new device," Sekoia researchers Jeremy Scion and Felix Aimé said.
"We observed that the vulnerability remains unpatched due to the routers reaching end-of-life (EoL) status."
"Cisco recommended in early 2023 that the flaw be mitigated by disabling remote management and blocking access to ports 443 and 60443."
"The malware transmits this information to the reporting server, enabling the attack to grow with each infected device."
Collection
[
|
...
]