More than 5,500 edge devices from over 50 brands around the world have been hacked and brought together into a colossal honeypot network by suspected Chinese-speaking threat actor ViciousTrap, who has been leveraging a single IP address for daily exploitation attempts since March, Cyber Security News reports.
Most of the impacted systems were in Macao, where usage of unpatched D-Link DIR-850L routers remains prevalent, according to findings from Sekoia.io. ViciousTrap initiates compromise by leveraging the Cisco SOHO router vulnerability, tracked as CVE-2023-20118, which enables command and bash script execution. Attacks then commence with the utilization of ftpget to download a custom busybox wget binary enabling command-and-control infrastructure communications before the flaw is re-exploited to allow the eventual deployment of the NetGhost script, which not only curbs forensic artifacts and redirects inbound traffic but also provides alerts of successful compromise. Such findings were noted by Sekoia.io researchers to suggest the dual-nature of the honeypot network as an attack infrastructure and an intelligence gathering platform.
Most of the impacted systems were in Macao, where usage of unpatched D-Link DIR-850L routers remains prevalent, according to findings from Sekoia.io. ViciousTrap initiates compromise by leveraging the Cisco SOHO router vulnerability, tracked as CVE-2023-20118, which enables command and bash script execution. Attacks then commence with the utilization of ftpget to download a custom busybox wget binary enabling command-and-control infrastructure communications before the flaw is re-exploited to allow the eventual deployment of the NetGhost script, which not only curbs forensic artifacts and redirects inbound traffic but also provides alerts of successful compromise. Such findings were noted by Sekoia.io researchers to suggest the dual-nature of the honeypot network as an attack infrastructure and an intelligence gathering platform.
