A Mirai-based botnet is now targeting a critical vulnerability in the software SDK used by hundreds of thousands of Realtek-based devices, including 200 models from at least 65 vendors such as Asus, Belkin, D-Link, Netgear, Tenda, ZTE, and Zyxel.
The security flaw discovered by IoT Inspector security researchers is now known as CVE-2021-35395 and has a severity rating of 9.8/10.
It affects a wide range of Internet-connected wireless devices, from residential gateways and travel routers to Wi-Fi repeaters, IP cameras, smart lightning gateways, and connected toys.
Remote attackers can scan for and attempt to exploit the management web interface to execute arbitrary code remotely on unpatched devices, allowing them to seize control of the impacted devices.
Realtek released a fixed version of the vulnerable SDK on August 13, three days before security researchers from IoT Inspector issued their advice, giving susceptible device users very little time to apply the patch.
A Mirai botnet began hunting for devices unpatched against CVE-2021-35395 on August 18, only two days after IoT Inspector revealed details of the flaw, according to network security firm SAM Seamless Network.
“As of August 18th, we have identified attempts to exploit CVE-2021-35395 in the wild,” in a report released last week, SAM stated.
According to SAM, the most common devices targeted by this botnet that use the buggy Realtek SDK are the Netis E1+ extender, Edimax N150 and N300 Wi-Fi routers, and Repotec RP-WR5444 router, which are all used to improve Wi-Fi reception.
The threat actor behind this Mirai-based botnet additionally updated their scanners over two weeks ago to target a serious authentication bypass vulnerability (CVE-2021-20090) that affects millions of Arcadyan-based home routers.
This threat actor has been targeting network and IoT devices since at least February, according to Juniper Threat Labs researchers at the time.
“This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly,” said Omri Mallis, chief product architect at SAM Seamless Network.
“These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched, and security vendors can react.”
The full list of affected devices is too large to embed here; however, it is available at the end of the IoT Inspector report.
You might also like:
Diavol ransomware sample reveals potential link to TrickBot gang
Razer flaw allows threat actors to take over Windows PCs
Millions of IoT devices are vulnerable due to Kalay cloud platform bug
Ford bug reveals customer and employee data from internal systems