PolarEdge: Unveiling an uncovered ORB network
Essential information
- Published
- 25/02/2025 10:03
- Modified
- 25/02/2025 12:12
- Tags
- 2025-02-25 CVE-2023-20118 asus botnet cipher_log cisco edge devices infrastructure analysis polaredge qnap synology tls backdoor vulnerability exploitation
- Related entities
- 1 vulnerabilities (cve), 31 observables, 16 techniques (mitre), 2 malware, 2 others
Description
An analysis of the PolarEdge backdoor and its associated botnet reveals a sophisticated cyber threat targeting various edge devices. The botnet exploits vulnerabilities in Cisco, Asus, QNAP, and Synology devices, using a TLS backdoor to establish control. Active since at least late 2023, PolarEdge has infected over 2,000 devices globally, with a significant presence in Asia and South America. The attackers employ complex infrastructure for payload delivery and command and control, utilizing multiple domains and IP addresses. While the botnet's ultimate purpose remains unclear, it's suspected to potentially use compromised devices as Operational Relay Boxes for launching offensive cyber attacks. The sophistication of the operation suggests skilled operators behind this extensive and well-coordinated threat.