Cybersecurity experts have found that a hacker group known as ViciousTrap has taken control of around 5,300 internet-connected devices, mostly Cisco routers, used by small businesses across 84 countries.
The hackers used a serious security bug called CVE-2023-20118, found in certain Cisco router models (RV016, RV042, RV042G, RV082, RV320, and RV325) to break into these devices. The highest number of affected devices—850—has been reported in Macau.
Sekoia said once the hackers gain access, they run a program called NetGhost on the routers. This program changes how the routers handle internet traffic-redirecting certain data to servers controlled by the hackers. This setup acts like a honeypot, a fake system designed to lure and monitor other network traffic, giving hackers a way to spy on data passing through.
The security flaw CVE-2023-20118 was earlier linked to a different hacker network called PolarEdge, according to a French cybersecurity company. But there’s no clear evidence that ViciousTrap and PolarEdge are working together.
Researchers believe ViciousTrap is creating a large number of fake systems (honeypots) by breaking into many types of internet-connected devices, not just Cisco routers. These include home and small business routers, VPN devices, security cameras (DVRs), and server management tools from over 50 different brands, such as Arakins Networks, ASUS, D-Link, Linksys, and QNAP.
This setup allows the hacker group to monitor global hacking attempts, gather intelligence on undisclosed (zero-day) Vulnerabilities, and even reuse unauthorized access obtained by other hackers.
The attack works like this:
They use Cisco vulnerability CVE-2023-20118 to run a script on the device.
This script uses a tool called ftpget to download another tool, wget, from an external server.
Then, they use the Cisco bug again, this time to run a second script using the downloaded wget tool.
This layered process helps them take over the device and redirect its traffic to their honeypot system.
In the second stage, the attack features a script known as NetGhost. This script is used to redirect internet traffic from the hacked device to servers controlled by the attackers. This allows the attacker to quietly monitor or temper with the traffic, similar to what’s known as a man-in-the-middle attack. NetGhost can also delete itself from the device after it runs, making it harder for investigators to trace it.
According to cybersecurity company Sekoia, all the hacking attempts came from the same IP address: 101.99.91[.]151. The first signs of this activity were seen in a different botnet attack called PolarEdge.
Researcher Felix Aime and Jeremy Scion explained that the NetGhost tool supports the idea that the attackers are mainly trying to watch and collect hacking attempts and secret tools used by others. By rerouting traffic through their own systems, they can secretly gather valuable data as it passes by without being noticed.
Recently, ASUS routers have also been targeted by hackers, who are now using a separate IP address—101.99.91[.]239. However, unlike the earlier attacks, they did not set up honeypots on these newly infected devices.
All the IP addresses used in the attacks so far originate from Malaysia and belong to a network called AS45839, which is run by a hosting company named Shinjiru.
Experts believe the hacker group may speak Chinese, based on subtle similarities to a known Chinese tool called GobRAT, and because the stolen internet traffic is being redirected to servers in Taiwan and the U.S.
In the end, cybersecurity firm Sekoia says the main goal of the group is still unclear, but they are confident the attackers are building a network of fake systems (honeypots) to secretly gather information.
