"Attacks Targeting Realtek SDK Vulnerability Ramping Up"

Palo Alto Networks recently warned of an increase in cyberattacks targeting CVE-2021-35394, a remote code execution (RCE) vulnerability in the Realtek Jungle SDK.  The vulnerability was disclosed in August 2021, and the vulnerability impacts hundreds of device types that rely on Realtek’s RTL8xxx chips, including routers, residential gateways, IP cameras, and Wi-Fi repeaters from 66 different manufacturers, including Asus, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel.  The company noted that the bug allows unauthenticated attackers to execute code on vulnerable devices, gaining complete control over them.  The first in-the-wild attacks targeting CVE-2021-35394 were observed days after details of the bug were made public, with an estimated one million devices exposed to attacks at the time.  The company noted that as of December 2022, they observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022.  The end goal of many of the observed attacks was malware distribution, as threat groups are targeting the flaw in large-scale attacks aimed at Internet of Things (IoT) devices, which underscores the need for organizations to ensure that these devices are properly protected.  A Shodan search performed by Palo Alto Networks security researchers has revealed the existence of more than 80 different IoT device models from 14 unique vendors that have port 9034 open.  The researchers discovered that D-Link devices are the most popular devices (31 models), followed by LG (8) and Belkin and Zyxel (6 each).  According to Palo Alto Networks, while the impacted vendors might have released software updates to resolve the issue or mitigation recommendations for their users, many organizations continue to use vulnerable devices.  To date, the researchers observed three types of attacks: a script is used to fetch malware from a remote location, an injected command directly writes the payload to a file and executes it, or an injected command is used to cause a denial-of-service (DoS) condition.  Most of the observed malicious payloads are Mirai, Gafgyt, and Mozi malware variants.  A Golang-based distributed denial-of-service (DDoS) botnet called RedGoBot has been distributed as well, starting in early September 2022.  An analysis of the observed 134 million exploit attempts shows that 30 regions were the source of attacks, with the US leading the fray at 48.3%, followed by Vietnam at 17.8%, and Russia at 14.6%.

SecurityWeek reports: "Attacks Targeting Realtek SDK Vulnerability Ramping Up"