[TheRecord] Routers and modems running Arcadyan firmware are under attack

Routers and modems running a version of the Arcadyan firmware, including devices from ASUS, Orange, Vodafone, and Verizon, are currently under attack from a threat actor attempting to ensnare the devices into their DDoS botnet.

First spotted by security firm Bad Packets earlier this week and confirmed by Juniper Labs on Friday, the attacks are exploiting a vulnerability tracked as CVE-2021-20090.

Discovered by Tenable security researcher Evan Grant earlier this year, the vulnerability resides in the firmware code produced by Taiwanese tech firm Arcadyan.

Grant says the vulnerability has existed in the code for at least ten years and has made its way into the firmware of at least 20 router and modem models sold by 17 different vendors, which based their products on a white-label version of old Arcadyan devices.

The list of affected devices includes some of today’s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, British Telecom, and many others.

VendorDeviceFound on versionADBADSL wireless IAD router1.26S-R-3PArcadyanARV751900.96.00.96.617ESArcadyanVRV95176.00.17 build04ArcadyanVGV75193.01.116ArcadyanVRV95181.01.00 build44ASMAXBBR-4MG / SMC7908 ADSL0.08ASUSDSL-AC88U (Arc VRV9517)1.10.05 build502ASUSDSL-AC87VG (Arc VRV9510)1.05.18 build305ASUSDSL-AC31001.10.05 build503ASUSDSL-AC68VG5.00.08 build272BeelineSmart Box Flash1.00.13_beta4British TelecomWE410443-SA1.02.12 build02BuffaloWSR-2533DHPL21.02BuffaloWSR-2533DHP31.24BuffaloBBR-4HGBuffaloBBR-4MG2.08 Release 0002BuffaloWSR-3200AX4S1.1BuffaloWSR-1166DHP21.15BuffaloWXR-5700AX7S1.11Deutsche TelekomSpeedport Smart 3010137.4.8.001.0HughesNetHT2000W0.10.10KPNExperiaBox V10A (Arcadyan VRV9517)5.00.48 build453KPNVGV75193.01.116O2HomeBox 64411.01.36OrangeLiveBox Fibra (PRV3399)00.96.00.96.617ESSkinnySmart Modem (Arcadyan VRV9517)6.00.16 build01SparkNZSmart Modem (Arcadyan VRV9517)6.00.17 build04Telecom (Argentina)Arcadyan VRV9518VAC23-A-OS-AM1.01.00 build44TelMexPRV33AC1.31.005.0012TelMexVRV7006TelstraSmart Modem Gen 2 (LH1000)0.13.01rTelusWiFi Hub (PRV65B444A-S-TS)v3.00.20TelusNH20A1.00.10debug build06VerizonFios G31001.5.0.10VodafoneEasyBox 9044.16VodafoneEasyBox 90330.05.714VodafoneEasyBox 80220.02.226

Besides the wide impact, the bug wasn’t initially a big deal. Found earlier this year and patched in April, the vulnerability never came under attack until this week.

Exploitation only started Thursday this week, two days after Grant published an in-depth technical write-up, which also included proof-of-concept code.

Bad Packets co-founder and CTO Troy Mursch told The Record the attacks are leveraging the proof-of-concept code shared in Grant’s blog post, which is tailored to attack Buffalo routers.

As of 2021-08-05T04:09:44Z, DDoS botnet operators are scanning the internet for Buffalo routers vulnerable to CVE-2021-20091 (https://t.co/OyZT3Be2SP).

This vulnerability allows attackers to alter device configuration leading to remote code execution. #threatintel

— Bad Packets (@bad_packets) August 5, 2021

Per Grant, once exploited, the vulnerability can be used to bypass authentication procedures on affected routers and modems to enable the Telnet service and allow threat actors to connect to devices remotely.

While Grant has not tested his proof-of-concept exploit for other devices, and the exploit might not work out of the box for all, the chances are that it does.

While still unconfirmed, owners of any of the affected devices listed in the table above are advised to inquire their router vendor for security patches.

Juniper said it identified the threat actor behind these attacks as a notorious botnet herder operating a version of the Mirai malware.

The post Routers and modems running Arcadyan firmware are under attack appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2021-07-14

Web shells: How can we get rid of them and why law enforcement is not really the answer www.gdatasoftware.com/blog/webshells Microsoft recorded a total of 144,000 web shell attacks between August 2020 and January 2021. Web shells are very light programmes (scripts) that hackers install to either attack affected websites or web-facing services or prepare a […]

Read More

[ZDNet] Internet users stressed out by cyberattack news: Kaspersky

All posts, ZDNet

2,500 people in the US and Canada were asked about their thoughts on internet usage during COVID-19 and cybersecurity. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] Apple Security Flaw: How do ‘Zero-Click’ Attacks Work?

All posts, Security Week

Apple has spent the past week rushing to develop a fix for a major security flaw which allows spyware to be downloaded on an iPhone or iPad without the owner even clicking a button. But how do such “zero-click” attacks work, and can they be stopped? read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.