In the world of cybersecurity, Malik Haidar stands out as a leading expert, particularly in the realm of protecting large enterprises from sophisticated threats. His unique approach incorporates business acumen into cybersecurity strategy, making him an influential voice in the field. Today, Malik discusses the intricate operations surrounding the elusive threat actor known as ViciousTrap.
Can you explain who the threat actor “ViciousTrap” is and what their recent activities involve?
ViciousTrap is a threat actor that has recently been making waves in the cybersecurity community. This group has compromised around 5,300 network edge devices in 84 countries, turning them into a part of a honeypot-like network. Their activities involve exploiting a critical vulnerability in certain Cisco router models to divert network traffic and gather intelligence in a very clandestine manner.
What specific Cisco router models are affected by the vulnerability CVE-2023-20118?
The vulnerability CVE-2023-20118 specifically affects Cisco Small Business routers, including models RV016, RV042, RV042G, RV082, RV320, and RV325. These routers are widely used, thus making them a prime target for such exploitations.
How did ViciousTrap turn compromised devices into a global honeypot-like network?
ViciousTrap has cleverly used a shell script known as NetGhost to turn compromised routers into nodes of a global network. By redirecting specific network traffic to infrastructure under their control, they effectively create a honeypot that allows them to observe and intercept network flows without raising suspicion.
What role does the shell script “NetGhost” play in the ViciousTrap attack chain?
NetGhost is central to ViciousTrap’s operations. Once executed, this shell script redirects incoming traffic from specific routers to their infrastructure, allowing them to conduct Adversary-in-the-Middle attacks. It’s designed to remove evidence of its presence, thereby minimizing forensic traces and increasing stealth.
Is there a connection between ViciousTrap and the PolarEdge botnet? If so, what is the nature of this connection?
While there’s no conclusive evidence directly linking ViciousTrap and PolarEdge, nuances in their operations suggest some overlapping tactics. For instance, ViciousTrap has repurposed a web shell previously used by the PolarEdge botnet, indicating a potential intersection or similar operational methods.
Besides Cisco routers, what other types of internet-facing equipment are being breached by ViciousTrap?
ViciousTrap isn’t limiting their activities to Cisco routers alone. They are also targeting a wide range of internet-facing devices including SOHO routers, SSL VPNs, DVRs, and even BMC controllers from over 50 brands, such as ASUS, D-Link, and QNAP, as part of their expansive honeypot network.
How does ViciousTrap potentially collect non-public or zero-day exploits from their network?
By turning compromised devices into a honeypot, ViciousTrap can observe exploitation attempts across various environments. This setup enables them to potentially capture non-public vulnerabilities or zero-day exploits used by other attackers, thus giving them a broader arsenal for further attacks.
Describe the step-by-step sequence of the attack exploiting CVE-2023-20118.
The attack begins by exploiting CVE-2023-20118 to download and run a bash script via ftpget. This script contacts an external server to retrieve the wget binary. Then, the vulnerability is exploited again to run a second script obtained through wget. This script, NetGhost, redirects network traffic to their infrastructure, effectively setting up the honeypot network.
Where are the IP addresses used in the ViciousTrap campaign located, and who operates them?
The IP addresses used in this campaign are primarily located in Malaysia, part of an Autonomous System operated by the hosting provider Shinjiru. This centralized operation suggests a well-organized infrastructure supporting their global activities.
What assumptions have been made about the origin of the ViciousTrap actor and their infrastructure?
The speculation is that ViciousTrap may have links to a Chinese-speaking origin, based on some overlap with the GobRAT infrastructure and the routing of traffic to assets in Taiwan and the US. However, these assumptions are still under investigation as part of an ongoing analysis.
How does the follow-up analysis by GreyNoise shed new light on the ViciousTrap campaign?
GreyNoise’s follow-up revealed the scale and persistence of these operations, showing that the attackers have not only expanded their network but also maintained access over a long period. This insight underscores the sophistication and potential long-term goals of ViciousTrap.
How do GreyNoise’s findings suggest a connection between the ViciousTrap activity and the AyySSHush operation?
GreyNoise pointed out a shared IP address between ViciousTrap and the AyySSHush operation, suggesting they might be orchestrated by the same actor. This connection indicates a concerted effort to exploit and maintain access to various router models without detection.
What ASUS router models are reportedly involved in the AyySSHush operation?
In the AyySSHush operation, ASUS router models like RT-AC3100, RT-AC3200, and RT-AX55 have been targeted. These devices have become part of a botnet allowing for durable control without the need for custom malware deployment.
What tactics are used by the attackers to avoid detection and maintain long-term access?
The attackers exhibit a high degree of stealth by using legitimate system features for persistence, avoiding rootkit traces, and configuring changes that remain unaffected by firmware updates. Their tactics are consistent with those used by highly advanced threat actors known for long-term operations.
What mitigation strategies can users employ to protect against these attacks?
Users should ensure their routers are always up-to-date and patched, particularly against vulnerabilities like CVE-2023-39780. Additionally, checking router configurations for unusual settings, blocking known malicious IPs, and resetting devices to factory settings when necessary can prevent unauthorized access.
Do you have any advice for our readers?
Stay informed and proactive in securing your networks. The threat landscape is constantly evolving, and what’s secure today may not be tomorrow. Regular updates, vigilance for unusual activity, and comprehensive security audits are critical for defense against sophisticated cyber threats.
