Listen to this Post
The cybersecurity world is abuzz with the latest revelations from researchers about a threat actor known as ViciousTrap, who has infiltrated over 5,300 network edge devices across 84 countries. These compromised devices, which include widely used Cisco routers, have been turned into part of a vast honeypot network. This attack exploits a critical vulnerability in Cisco’s Small Business routers, specifically CVE-2023-20118, to capture and manipulate traffic. As cybersecurity experts dive into the details, the full extent of the damage and potential risks are becoming clearer.
the Cyberattack
Researchers discovered that ViciousTrap exploited a severe vulnerability affecting multiple Cisco Small Business routers. The attackers leveraged CVE-2023-20118 to infect these devices and transform them into part of a honeypot-like infrastructure, where they could observe and collect data without the knowledge of the device owners. The majority of infections were found in Macau, where approximately 850 devices were compromised.
The attack chain starts with the execution of a malicious shell script named NetGhost, which redirects incoming network traffic to the attacker’s infrastructure. This redirection facilitates man-in-the-middle attacks (AitM) and allows the attacker to capture valuable network flow data. The script also includes mechanisms to remove itself from the infected device to avoid detection.
Interestingly, this attack is related to previous incidents involving a different botnet, PolarEdge, which also exploited CVE-2023-20118. Although thereās no direct link between ViciousTrap and PolarEdge, the tactics and tools used by ViciousTrap indicate a deliberate attempt to create a broad, multi-layered surveillance network. Devices from over 50 different brands, including ASUS, D-Link, and QNAP, have been infected, suggesting that the attackers are targeting a wide range of internet-connected devices, from routers to DVRs and SSL VPNs.
The purpose of this massive honeypot setup appears to be twofold: intercepting exploitation attempts and potentially gathering zero-day vulnerabilities or other exploits. By analyzing traffic from multiple environments, the attackers can learn from exploitation attempts and enhance their malicious infrastructure. This operation is being carried out with IP addresses from Malaysia, raising suspicions about the geographical origin of the threat actor.
What Undercode Says:
The ViciousTrap cyberattack is a sophisticated operation designed to gather intelligence and enhance the attacker’s arsenal. By setting up a honeypot-style network across thousands of compromised devices, the attackers are positioning themselves to observe exploitation attempts from other malicious actors, allowing them to collect valuable insights. This could include sensitive data from targets around the globe, potentially giving the threat actor access to high-value networks or even zero-day exploits.
The attackers are using a multi-stage exploit chain that starts with CVE-2023-20118 and escalates with the deployment of NetGhost, which redirects network traffic. This setup allows the attacker to observe communications, potentially capturing exploit attempts and other types of sensitive data. The fact that this attack appears to be coming from Malaysia and targets a wide variety of devices across the globe suggests that ViciousTrap could be a state-backed or highly organized group with a long-term strategic goal.
One of the most alarming aspects of the attack is the targeting of consumer-grade devices such as routers and DVRs. This strategy allows the attackers to access smaller, less-secure networks, which are often overlooked by traditional defense mechanisms. Given the widespread nature of the infections, it is clear that ViciousTrap is aiming to collect large volumes of data over time, making it a formidable threat to both consumers and businesses alike.
The use of self-deleting scripts like NetGhost is another red flag. By erasing traces of the attack from the compromised devices, ViciousTrap is significantly complicating efforts to trace and understand the full scope of the damage. As such, this threat actorās activities are difficult to track, making it a persistent danger for anyone with vulnerable devices connected to the internet.
With the growing reliance on internet-connected devices, attacks like ViciousTrapās underscore the importance of securing edge devices and patching vulnerabilities as soon as they are discovered. Itās also a reminder of the growing sophistication of modern cyberattacks and the need for multi-layered defense strategies.
Fact Checker Results:
Cisco Routers Vulnerability: Confirmed that CVE-2023-20118 is a real vulnerability affecting Cisco Small Business routers. Multiple models are affected.
Global Infections: Accurate reporting of infections across 84 countries, with Macau having the highest concentration of compromised devices.
Honeypot Purpose: Itās validated that the attackerās goal seems to be creating a honeypot-style network for data collection, as evidenced by the redirecting of network traffic to the attacker’s servers.
Prediction:
As the ViciousTrap operation evolves, it is likely that we will see an increase in attacks targeting small office/home office (SOHO) devices. With cybercriminals becoming more adept at exploiting vulnerabilities in consumer-grade equipment, this could lead to more sophisticated attacks on home networks and small businesses. Furthermore, as attackers continue to refine their honeypot techniques, they may begin to target critical infrastructure or larger enterprise systems by leveraging data gathered from these smaller, less-secure devices.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.reddit.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
