Realtek SDK bugs targeted to spread Mirai bot variant
The vulnerabilities are thought to affect about 200 IoT product lines offered by at least 65 hardware manufacturers
Cyber actors are attempting to exploit multiple security vulnerabilities in Realtek software development kits (SDKs) to spread a variant of the Mirai botnet, researchers have warned.
Researchers at German cybersecurity firm IoT Inspector found the flaws, which affect a range of devices from IP cameras to residential gateways, travel routers, smart lightning gateways, Wi-Fi repeaters and connected toys.
The bugs are indexed as CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, and CVE-2021-35395 and are thought to affect about 200 IoT product lines offered by at least 65 hardware manufacturers.
Researchers at SAM Seamless Network said they have observed a Mirai-based botnet scanning the web for unpatched devices, just two days after the public disclosure of the critical vulnerabilities.
"One of the vulnerabilities disclosed, CVE-2021-35395, affects the web interface that is part of the SDK, and is a collection of six different vulnerabilities. As of August 18th, we have identified attempts to exploit CVE-2021-35395 in the wild," Omri Mallis, chief product architect at SAM Seamless Network, said.
"Specifically, we noticed exploit attempts to 'formWsc' and 'formSysCmd' web pages."
Mallis said researchers at Palo Alto Networks first noticed this particular Mirai infection strain in March.
Juniper Networks researchers also observed the malware trying to exploit a new vulnerability earlier this month.
"The webserver serving the Mirai botnet uses the same network subnet, indicating that the same attacker is involved in both incidents," Mallis said.
The chain of events suggests that threat actors are "actively looking for command injection vulnerabilities" in an effort to spread malware quickly, he warned.
These kinds of bugs can be easily exploited and integrated into existing hacking frameworks, well before vulnerable devices are patched.
Mirai is a notorious IoT and router malware, which has spread in various forms for the last five years. It has been responsible for some of the largest distributed denial-of-service (DDoS) attacks ever seen.
Mirai takes advantage of old and out-of-date iterations of Linux running CCTV DVRs, webcams, routers and other low-cost IoT devices, to infect them with malware capable of granting even unsophisticated attackers control over networks of hundreds of thousands of devices.
In 2016, the Mirai botnet delivered massive DDoS attacks against KrebsOnSecurity and French web hosting provider OVH.
The same year, a Mirai botnet attacked the Dyn DNS service, sending enormous amount of traffic to DNS servers used for authorisation.
In 2019, experts from Palo Alto Networks' Unit 42 said that they had discovered a new variant of Mirai malware targeting enterprise-focused devices, rather than the more vulnerable consumer IoT devices.