Attacks Targeting Realtek SDK Vulnerability Ramping Up

Palo Alto Networks warns of an increase in cyberattacks targeting CVE-2021-35394, a remote code execution (RCE) vulnerability in the Realtek Jungle SDK.

Disclosed in August 2021, the vulnerability impacts hundreds of device types that rely on Realtek’s RTL8xxx chips, including routers, residential gateways, IP cameras, and Wi-Fi repeaters from 66 different manufacturers, including Asus, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel.

The bug allows unauthenticated attackers to execute code on vulnerable devices, gaining complete control over them.

The first in-the-wild attacks targeting CVE-2021-35394 were observed days after details of the bug were made public, with an estimated one million devices exposed to attacks at the time.

In a new report, Palo Alto Networks warns of an increase in attacks attempting to exploit the security defect.

“As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing,” Palo Alto Networks says.

The end goal of many of the observed attacks was malware distribution, as threat groups are targeting the flaw in large-scale attacks aimed at Internet of Things (IoT) devices, which underscores the need for organizations to ensure that these devices are properly protected.

A Shodan search performed by Palo Alto Networks security researchers has revealed the existence of more than 80 different IoT device models from 14 unique vendors that have port 9034 open.

Looking at mid-to-large sized deployments, the researchers discovered that D-Link devices are the most popular devices (31 models), followed by LG (8) and Belkin and Zyxel (6 each).

According to Palo Alto Networks, while the impacted vendors might have released software updates to resolve the issue or mitigation recommendations for their users, many organizations continue to use vulnerable devices.

To date, the researchers observed three types of attacks: a script is used to fetch malware from a remote location, an injected command directly writes the payload to a file and executes it, or an injected command is used to cause a denial-of-service (DoS) condition.

Most of the observed malicious payloads are Mirai, Gafgyt and Mozi malware variants. A Golang-based distributed denial-of-service (DDoS) botnet called RedGoBot has been distributed as well, starting early September 2022.

An analysis of the observed 134 million exploit attempts shows that 30 regions were the source of attacks, with the US leading the fray at 48.3%, followed by Vietnam with 17.8% and Russia at 14.6%.

“The surge of attacks leveraging CVE-2021-35394 shows that threat actors are very interested in supply chain vulnerabilities, which can be difficult for the average user to identify and remediate. These issues can make it difficult for the affected user to identify the specific downstream products that are being exploited,” Palo Alto Networks concludes.

Related: Most Cacti Installations Unpatched Against Exploited Vulnerability

Related: Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers

Related: Chinese Hackers Exploited Fortinet VPN Vulnerability as Zero-Day