Threat actors zeroing in on command injection vulnerabilities reported in Realtek chipsets just days after multiple flaws were discovered in the software developers kits (SDK) deployed across at least 65 separate vendors.
On Aug. 16 multiple Realtek vulnerabilities were disclosed by IoT Inspector Research Lab. It took about 48 hours for attackers to start trying to exploit them. SAM Seamless Network reported two days after the bugs were made public, attackers made “multiple” attempts breach the company’s Secure Home product to spread a new version of Mirai malware.
“Specifically, we noticed exploit attempts to ‘formWsc’ and ‘formSysCmd’ web pages,” SAM’s report on the incident said. “The exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks. Mirai is a notorious IoT and router malware circulating in various forms for the last 5 years. It was originally used to shut down large swaths of the internet but has since evolved into many variants for different purposes.”
The report goes on to link another similar attack to the attack group. On Aug. 6 Juniper Networks found a vulnerability that just two days later was also exploited to try and deliver the same Mirai botnet using the same network subnet, the report explained.
“This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly,” SAM said. “These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.”
Realtek Semiconductor Corp. has not yet responded to Threatpost’s request for comment, but the company did release this advisory on CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, CVE-2021-35395,
Mirai’s source code has exploded in popularity over the years, with more than 60 variants observed in the wild by last March. That number is still climbing with this latest iteration tailored to target the Realtek SDK flaws.
Devices Targeted
Considering the number of vendors impacted, researchers are concerned threat actors have ample first-move opportunities to exploit the bug before patches are deployed.
SAM said the devices most exposed to the Realtek SDK bug are:
- Netis E1+ extender
- Edimax N150 and N300 Wi-Fo router
- Repotec RP-WR5444 router
The original IoT Inspector report linked this kind of vulnerability to recent supply chain attacks on SolarWinds and Kaseya.
“As awareness for supply chain transparency is on the rise among security experts, this example is a pretty good showcase of the vast implications of an obscure IoT supply chain, The IoT Inspector report said.
Just a day after the Realtek revelations, Mandiant in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), reported a flaw in IoT cloud platform ThroughTek Kalay. The vulnerability would have potentially allowed an attacker to take over an IoT device to listen to live audio, watch real-time video and more.
“These types of vulnerabilities are surfacing every day and there are probably many more that have yet to be discovered…,” SAM’s Ran Hananel told Threatpost by email.
Securing IoT
Yaniv Bar-Dayan, co-founder of Vulcan Cyber told Threatpost that IoT security in inherently tricky because often it’s not clear who is responsible for the data.
“While the responsibility to bring bug fixes and patches to market should lie on the shoulders of vendors, users should be sure to rely on tried-and-true security best practices in the meantime,” Bar-Dayan said. “Encrypt data, use sophisticated and unique passwords or multi-factor authentication, don’t broadcast your network ID, double check configurations, and, above all else, patch early and often.”
Besides patching, Jake Williams at BreachQuest recommends limiting web interface access to the local network.
“That won’t stop attacks but does limit where they can be conducted from,” Williams said. “This is particularly true for administrative interfaces.”
It’s also up to developers to know the code their using is secure. A Software Bill of Materials (SBOMs) are one solution being pushed by the U.S. government in the wake of the SolarWinds breach.
“Developers of any type of software like to use SDKs because it enables them to implement capabilities into their software without having to build it themselves,” Hank Schless from Lookout told Threatpost. “This is broadly practiced, and there’s a level of implicit trust that developers have in those that build these SDKs that everything packaged inside of them will be safe. However, just like with any other type of software, SDKs have their inevitable flaws.”