Security researchers at Sekoia have uncovered a sophisticated cyber espionage campaign where the threat actor group ViciousTrap has compromised over 5,300 edge network devices across 84 countries. The attackers have transformed these compromised devices into an extensive network of honeypots, designed to collect intelligence on emerging cyber attack methodologies and zero-day vulnerabilities.
Critical Cisco Vulnerability Exploitation
The attack primarily leverages CVE-2023-20118, a critical security vulnerability affecting multiple Cisco Small Business router models, including the RV016, RV042, RV042G, RV082, RV320, and RV325 series. Analysis reveals that Macau hosts the highest concentration of compromised devices, with approximately 850 affected units identified in the region.
Technical Infrastructure and Attack Methodology
Following successful exploitation, the threat actors deploy the NetGhost malware, a sophisticated script that redirects incoming network traffic from specific ports on compromised routers to attacker-controlled infrastructure. Security experts have identified significant overlaps between this campaign and the previously documented PolarEdge botnet, suggesting potential connections in their tactical approaches.
Widespread Device Targeting
The investigation reveals that ViciousTrap’s campaign targets network equipment from more than 50 manufacturers, including Araknis Networks, Asus, D-Link, Linksys, and Qnap. The attack surface encompasses various device types, from consumer routers and SSL-VPN gateways to DVR systems and BMC controllers, demonstrating the campaign’s comprehensive scope.
Attribution and Infrastructure Analysis
Technical evidence points to attack operations originating from IP addresses associated with Malaysian hosting provider Shinjiru (AS45839). Researchers have identified infrastructure overlaps with the known GobRAT malware family and observed significant command-and-control server presence in Taiwan and the United States, suggesting possible Chinese state-sponsored involvement.
The unprecedented scale of this cyber espionage campaign represents a significant evolution in threat actor capabilities. By establishing this extensive honeypot network, ViciousTrap has created a sophisticated early warning system for detecting new attack techniques and zero-day vulnerabilities. This infrastructure enables the group to monitor other threat actors’ activities and capture previously unknown exploit code, presenting a substantial risk to global cybersecurity posture. Organizations are advised to implement robust network monitoring solutions and ensure all edge devices maintain current security patches to mitigate potential compromise.
