In early 2025, cybersecurity firm Sekoia uncovered a sophisticated malware campaign targeting edge devices from Cisco, ASUS, QNAP, and Synology. Dubbed the "PolarEdge" botnet, attackers exploited a critical vulnerability (CVE-2023-20118) in Cisco Small Business routers, which had reached end-of-life status and remained unpatched. The attackers deployed a previously undocumented TLS backdoor, enabling remote command execution and persistent access. The malware propagated via FTP, establishing a foothold in over 2,000 devices worldwide, with significant concentrations in the United States, Taiwan, and Russia. This campaign highlights the risks associated with outdated and unmonitored edge infrastructure.
For Details:
https://thehackernews.com/2025/02/polaredge-botnet-exploits-cisco-and.html?utm
Post incident STRIKE Assessment – PolarEdge Botnet Exploitation
S – Security
The targeted devices suffered from unpatched vulnerabilities, particularly in end-of-life Cisco routers lacking security updates. The absence of encryption and outdated firmware rendered these devices susceptible to exploitation.
T – Trust
The exploitation of widely-used devices from reputable vendors undermined trust in their security posture. The lack of transparency regarding firmware integrity and update mechanisms further eroded confidence.
R – Reliability
Once compromised, the devices failed to maintain reliable operations, allowing persistent unauthorized access. The malware's ability to establish a TLS backdoor and execute arbitrary commands disrupted normal device functionality.
I – Intrusion
The attackers leveraged a critical vulnerability to gain unauthorized access, deploying malware that enabled remote command execution. The widespread nature of the attack increased the likelihood of intrusion across various networks.
K – Knowledge
Organizations lacked visibility into the compromised devices, with insufficient logging and monitoring capabilities. The stealthy nature of the malware allowed it to operate undetected, hindering timely detection and response.
E – Exploitation
The compromised devices served as entry points for broader network infiltration, allowing attackers to propagate malware and potentially disrupt services. The strategic position of these devices at network perimeters amplified the potential for extensive exploitation.
Chinese hackers breached the Treasury Department's Office of Foreign Assets Control (OFAC), a critical office overseeing U.S. economic sanctions, and the Office of the Treasury Secretary, accessing unclassified but sensitive documents. The intrusion, enabled by a compromised security key from a third-party contractor, BeyondTrust, highlights persistent vulnerabilities in government cybersecurity. OFAC's records, including information used to develop sanctions against foreign entities, could provide Beijing valuable intelligence. The breach underscores China's broader strategy of leveraging cyber operations for economic, technological, and geopolitical advantage amid escalating tensions with the U.S. over issues like trade and Taiwan. The breach was detected on December 8, 2024.
For Details:
In March 2022, a significant incident occurred involving the node-ipc package, a widely used Node.js library. The maintainer of this package introduced a new dependency named peacenotwar, which contained code designed to overwrite files on machines with IP addresses originating from Russia or Belarus. This action was a form of protest against the Russian invasion of Ukraine. The malicious code specifically targeted these regions, deleting files and leaving behind a text file with a protest message.
The impact of this sabotage was extensive, as node-ipc is a dependency in numerous projects, including the popular front-end framework Vue.js. Developers using Vue.js and other affected projects found their applications compromised without prior warning. This incident highlighted the vulnerabilities inherent in the software supply chain, emphasizing the need for developers to exercise caution when incorporating third-party dependencies into their projects. It also sparked a broader discussion about the ethics of introducing "protestware" into widely used software libraries.
For details:
Content courtesy of DarkBlue