A denial of service vulnerability affecting SDKs for Realtek chipsets, which are used in IoT devices from 65 vendors, has been integrated into a Mirai botnet, according to new research.
The remote code execution bug, CVE-2021-35395, was seen in Mirai malware binaries from threat intelligence firm Radware.
Radware warned that the vulnerability was added to Dark.IoT’s botnet “less than a week” after it was published, saying, “This vulnerability was recently identified by the IoT Inspectors Research Lab on the 16th on Realtek chipsets and SDK. “
The critical vulnerability, rated 9.8 on the CVSS scale, consists of multiple routes to cause buffer overflows (PDF from Realtek with details) in the web administration interface that Realtek provides in its Jungle SDK for its router chipset. CVE-2021-35395 is a denial of service vulnerability; Manipulated input from an attacker can be used to crash the HTTP server on which the management interface is running, and thus the router.
“You can kill it, but you can also infect it with malware,” says Radware researcher Daniel Smith.
Called Dark.IoT by Radware, the operators of the Mirai variant were reported from Palo Alto Networks and Juniper Threat Labs earlier this year, whereby Juniper warns that a two-day old vulnerability has been used in Dark.IoT’s software.
The latest integration of the DoS vulnerability into the botnet is based on a path traversal vulnerability in combination with a configuration file injection. Smith told of Radware The registry: “This operator is demanding compared to [script kiddies]. “
Instead of developing their own exploits, Dark.IoT is waiting for White Hats to publish proof-of-concepts for newly discovered vulnerabilities, and Smith said they’ll be adding them to their botnet in “days”.
Jason Soroko, Sectigo’s CTO, said recently El Reg that the Mozi IoT botnet, a P2P network that similar to Dark.IoT also targets consumer IoT devices, targets an inherent and long-standing problem with consumer routers; They are not easy for non-tech-savvy users to load new firmware onto them. Smith agreed.
While Realtek has patched the vulnerabilities in the SDK, vendors using its white label technology must now distribute patches to their branded devices and then users must install them – while Dark.IoT and other Mirai-based criminals look for exploitable devices.
Big companies like Microsoft, added Smith, would end up playing “whack a mole” with botnet gangs. He said Dark.IoT has to rebuild its command-and-control infrastructure every month or so thanks to determined takedowns.
Meanwhile, the malware is evolving. “As reported by both Palo Alto Networks and Juniper Threat Labs,” Radware said in a blog post shared with The registry“The campaigners are keen to find and use new exploits to capture more vulnerable devices that can be used to launch critical DDoS attacks.”
“Dark.IoT operators are expected to continue this pattern of rapid exploitation of recently revealed vulnerabilities for the remainder of 2021,” concluded a rather grim Radware. ®