Cybersecurity researchers have identified a threat actor known as ViciousTrap, compromising 5,300 network edge devices in 84 countries. Utilizing a serious security flaw (CVE-2023-20118) in Cisco routers, mainly affecting regions like Macau, ViciousTrap has turned these devices into a deceptive honeypot network. This infection uses a shell script called NetGhost, which redirects traffic to the attacker’s infrastructure, potentially capturing sensitive information and exploits across various environments. This vulnerability was previously linked to another botnet, PolarEdge, though connections between the two remain unproven.
The infection chain involves the execution of a shell script, dubbed NetGhost, which redirects incoming traffic from specific ports of the compromised router to a honeypot-like infrastructure under the attacker's control allowing them to intercept network flows.
This setup would allow the actor to observe exploitation attempts across multiple environments and potentially collect non-public or zero-day exploits, and reuse access obtained by other threat actors.
Collection
[
|
...
]