TZUTC: -0500   
   MSGID: 252.consprcy@1:2320/105 2c288295   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet   
      
   Date:   
   Fri, 28 Feb 2025 16:14:00 +0000   
      
   Description:   
   The goal of the botnet has not yet been determined, but many devices are    
   under threat.   
      
   FULL STORY   
   ======================================================================   
    - Sekoia spots hackers abusing a known flaw in Cisco devices   
    - This leads to the discovery of a botnet called PolarEdge   
    - Most victims are found in the US, but the botnet is "most prevalent" in   
   Asia and South America   
      
   A previously-undocumented botnet has been expanding around the world for more   
   than a year, targeting a range of Cisco, ASUS, QNAP, and Synology devices,   
   experts have warned.    
      
   Cybersecurity researchers Sekoia observed the attacks on their honeypot, and   
   used the information to detail the campaign, its infrastructure, and targets.    
      
   In its report , Sekoia said that as of late 2023, it spotted an unnamed    
   threat actor targeting devices vulnerable to CVE-2023-20118 - an improper    
   user input validation bug affecting different Cisco Small Business Routers.   
   The flaw allowed them to execute arbitrary commands on the affected devices,   
   pulling a malicious payload from a Huawei Cloud server located in Singapore.   
   Digging deeper, Sekoia found traces of the campaign targeting devices from   
   other manufacturers, as well. They named the botnet PolarEdge, and confirmed   
   that at least 2,000 endpoints around the world were infected.   
      
   Endgame unknown    
      
   The botnets goal is unknown at this time, the researchers said.    
      
   The purpose of this botnet has not yet been determined. Cross-checking the IP   
   addresses with our telemetry has not revealed any specific activity, the   
   report reads.    
      
   Usually, cybercriminals would develop a network of infected devices to either   
   run Distributed Denial of Service (DDoS) attacks, set up a residential proxy,   
   run spam and phishing campaigns, spread malware, or engage in click fraud.    
      
   The majority of the victims are found in the US, but Sekoia says the botnet   
   appears to be particularly prevalent in Asia and South America, although it   
   cannot be certain if this was a deliberate move by the attackers, or just   
   coincidence.    
      
   Despite infecting a relatively small amount of devices, Sekoia still deemed   
   PolarEdge a dangerous threat.    
      
   The botnet exploits multiple vulnerabilities across different types of   
   equipment, highlighting its ability to target various systems, the report   
   concludes.    
      
   The complexity of the payloads further underscores the sophistication of the   
   operation, suggesting that it is being conducted by skilled operators. This   
   indicates that PolarEdge is a well-coordinated and substantial cyber threat.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/cisco-asus-qnap-and-synology-devices-hi   
   jacked-to-major-botnet   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426