A severe flaw discovered in the software SDK used by hundreds of thousands of Realtek-based devices is now being abused by a Mirai-based botnet.
The security vulnerability which has been discovered by researchers at IoT Inspector is tracked as CVE-2021-35395 and was given a 9.8/10 severity rating. CVE-2021-35395, which consists of six distinct bugs, has been exploited in the wild to distribute a version of the Mirai IoT malware.
Who Was Impacted?
The researchers pinpointed roughly 65 different impacted vendors and manufacturers with almost 200 types of impacted devices. Some of the vendors are ASUS, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE, and Zyxel. Here you can find the complete list of the affected vendors.
According to the IoT Inspector Advisory, the impacted devices include residential gateways, travel routers, Wi-Fi repeaters, IP cameras, smart lightning gateways, and connected toys.
Because the management web interface can be impacted by this vulnerability, remote cybercriminals are able to hack the devices in order to perform arbitrary code remotely on the ones that haven’t been patched, allowing them to assume control of the affected devices.
Even if Realtek delivered a patched version of the exposed SDK just a few days before the IoT Inspector advisory, the individuals who had their devices impacted didn’t have much time to apply the patch.
According to BleepingComputer, a Mirai botnet started looking for devices unpatched against CVE-2021-35395 shortly after IoT Inspector published information on the vulnerability.
As of August 18th, we have identified attempts to exploit CVE-2021-35395 in the wild.
The network security firm SAM Seamless Network states that the most usual devices utilizing buggy Realtek SDK targeted by this botnet are:
- Netis E1+ extender
- Edimax N150 and N300 Wi-Fi router
- Repotec RP-WR5444 router
These devices are mostly used to increase Wi-Fi reception.
Earlier this month, Juniper Threat Labs researchers began noticing attempts to exploit CVE-2021-20090, a bug that impacts not less than 20 vendors that provide routers running firmware made by a Taiwanese network solutions provider.
According to Juniper Networks, this attacker has been active since at least February.
This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly.
These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.