PolarEdge: Unveiling An Uncovered ORB Network
Summary:
Sekoia has uncovered details of a new campaign targeting edge devices, integrating them into a sophisticated botnet dubbed “PolarEdge.” Based on network traces observed through honeypots set up by Sekoia, actors were found exploiting a remote code execution vulnerability (CVE-2023-20118) in the web-based management interface of Cisco Small Business routers on two separate occasions.
Between January 22 and 31, 2025, CVE-2023-20118 was used to deploy a webshell on the targeted routers. Researchers found that the webshell allowed attackers to upload a file named tmp[REDACTED].tar.gz to the router's /tmp/ directory, attempting to extract and execute a shell script from the archive. Unfortunately, the complete file could not be retrieved, but Sekoia suspects the webshell is meant to deliver a second-stage payload, which is subsequently deleted by the attacker.
On February 10, 2025, the exploitation of CVE-2023-20118 was observed again, this time with actors attempting to download a novel TLS backdoor designed to listen for incoming client connections and execute commands. Researchers noted that the TLS backdoor was executed by a script called ‘q’ via FTP, which includes several functions such as cleaning up log files, terminating suspicious processes, downloading and executing "cipher_log" (the TLS backdoor), and ensuring persistence by modifying the "/etc/flash/etc/cipher.sh" file to repeatedly run the "cipher_log" binary.
Security Officer Comments:
The PolarEdge botnet has been active since 2023 and currently consists of over 2,000 infected devices, primarily Cisco routers. Through a VirusTotal search using marking patterns found in the TLS backdoor, Sekoia discovered four additional payloads. The hardcoded URL parameters suggest these payloads are targeting Asus, QNAP, and Synology devices, further integrating them into the PolarEdge botnet. While the purpose of this botnet has not yet been determined, Sekoia suggests that PolarEdge could be used to control the compromised edge devices, repurposing them as operational relay boxes to launch offensive cyber attacks.
Suggested Corrections:
Organizations should regularly patch vulnerabilities such CVE-2023-20118 impacting edge devices, while implementing unique passwords and enabling multi-factor authentication wherever possible. Reducing internet exposure, implementing network segmentation, and securing remote access through VPNs are crucial steps in preventing potential intrusions. Overall, blocking suspicious IPs linked to botnets and regularly reviewing device configurations and access logs can also be effective in minimizing the risk of device and network compromise.
PolarEdge IOCs can be accessed here.
Link(s):
https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/
Sekoia has uncovered details of a new campaign targeting edge devices, integrating them into a sophisticated botnet dubbed “PolarEdge.” Based on network traces observed through honeypots set up by Sekoia, actors were found exploiting a remote code execution vulnerability (CVE-2023-20118) in the web-based management interface of Cisco Small Business routers on two separate occasions.
Between January 22 and 31, 2025, CVE-2023-20118 was used to deploy a webshell on the targeted routers. Researchers found that the webshell allowed attackers to upload a file named tmp[REDACTED].tar.gz to the router's /tmp/ directory, attempting to extract and execute a shell script from the archive. Unfortunately, the complete file could not be retrieved, but Sekoia suspects the webshell is meant to deliver a second-stage payload, which is subsequently deleted by the attacker.
On February 10, 2025, the exploitation of CVE-2023-20118 was observed again, this time with actors attempting to download a novel TLS backdoor designed to listen for incoming client connections and execute commands. Researchers noted that the TLS backdoor was executed by a script called ‘q’ via FTP, which includes several functions such as cleaning up log files, terminating suspicious processes, downloading and executing "cipher_log" (the TLS backdoor), and ensuring persistence by modifying the "/etc/flash/etc/cipher.sh" file to repeatedly run the "cipher_log" binary.
Security Officer Comments:
The PolarEdge botnet has been active since 2023 and currently consists of over 2,000 infected devices, primarily Cisco routers. Through a VirusTotal search using marking patterns found in the TLS backdoor, Sekoia discovered four additional payloads. The hardcoded URL parameters suggest these payloads are targeting Asus, QNAP, and Synology devices, further integrating them into the PolarEdge botnet. While the purpose of this botnet has not yet been determined, Sekoia suggests that PolarEdge could be used to control the compromised edge devices, repurposing them as operational relay boxes to launch offensive cyber attacks.
Suggested Corrections:
Organizations should regularly patch vulnerabilities such CVE-2023-20118 impacting edge devices, while implementing unique passwords and enabling multi-factor authentication wherever possible. Reducing internet exposure, implementing network segmentation, and securing remote access through VPNs are crucial steps in preventing potential intrusions. Overall, blocking suspicious IPs linked to botnets and regularly reviewing device configurations and access logs can also be effective in minimizing the risk of device and network compromise.
PolarEdge IOCs can be accessed here.
Link(s):
https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/