[TheRecord] Hundreds of thousands of Realtek-based devices under attack from IoT botnet

A dangerous vulnerability in Realtek chipsets used in hundreds of thousands of smart devices from at least 65 vendors is currently under attack from a notorious DDoS botnet gang.

The attacks started last week, according to a report from IoT security firm SAM, and began just three days after fellow security firm IoT Inspector published details about the vulnerability on its blog.

Vulnerability impacts little know but very popular Realtek SoC

Tracked as CVE-2021-35395, the vulnerability is part of four issues IoT Inspector researchers found in the software development kit (SDK) that ships with multiple Realtek chipsets (SoCs).

These chips are manufactured by Realtek but are shipped to other companies, which then use them as the basic System-on-Chip (SoC) board for their own devices, with the Realtek SDK serving as a configurator and starting point for their own firmware.

IoT Inspector said they found more than 200 different device models from at least 65 different vendors that had been built around these chips and were using the vulnerable SDK.

Estimated in the realm of hundreds of thousands of internet-connected devices, the list of vulnerable items includes routers, network gateways, Wi-Fi repeaters, IP cameras, smart lighting, and even internet-connected toys.

Of the four issues discovered by the IoT Inspector research team, the CVE-2021-35395 vulnerability received the highest severity rating, of 9.8 out of 10 on the CVSSv3 severity scale.

According to the research team, the vulnerability, which resided in a web panel used to configure the SDK/device, allowed a remote attacker to connect to these devices via malformed URL web panel parameters, bypass authentication, and run malicious code with the highest privileges, effectively taking over the device.

While Realtek released patches [PDF] a day before IoT Inspector published its findings last week, this was far too small of a time window for device vendors to deploy the security updates down the line to their own set of customers.

This means that today, the vast majority of these devices are still running outdated firmware (and an outdated Realtek SDK), being exposed to attacks.

A very busy botnet

Per SAM, exploitation started shortly after and came from the same Mirai-based botnet that a week before rushed to exploit a similar mega-bug in millions of routers running Arcadyan-based firmware.

The SAM research team said that based on their own scans, the most common device models currently running the vulnerable Realtek SDK include the likes of:

Netis E1+ extenderEdimax N150 and N300 Wi-Fi routerRepotec RP-WR5444 router

Owners of such devices should look or inquire their sellers for new firmware patches.

The post Hundreds of thousands of Realtek-based devices under attack from IoT botnet appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Ransomware groups continue assault on healthcare orgs as COVID-19 infections increase

All posts, ZDNet

Barlow Respiratory Hospital in California escaped the worst of a recent ransomware attack but still had patient data posted to a leak site. Source: Read More (Latest topics for ZDNet in Security)

Read More

[TheRecord] DDoS botnets, cryptominers target Azure systems after OMIGOD exploit goes public

Threat actors are attacking Azure Linux-based servers using a recently disclosed security flaw named OMIGOD in order to hijack vulnerable systems into DDoS or crypto-mining botnets. The attacks, which began on Thursday night, September 16, are fueled by a public proof-of-concept exploit that was published on the same day on code hosting website GitHub. The […]

Read More

[SANS ISC] Quick and dirty Python: nmap, (Mon, May 31st)

All posts, Sans-ISC

Continuing on from the “Quick and dirty Python: masscan” diary, which implemented a simple port scanner in Python using masscan to detect web instances on TCP ports 80 or 443.  Masscan is perfectly good as a blunt instrument to quickly find open TCP ports across large address spaces, but for fine details it is better to use a […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.