September 25, 2023

Researchers have reported a surge in the number of attacks that attempted to exploit a Realtek Jungle SDK RCE that is tracked as CVE-2021-35394 with a CVSS score of 9.8. Nearly 134 million exploit attempt was made till last month – December 2022.

Realtek Jungle SDK version v2.x through v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as a ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.

The experts warned that the attacks conducted by multiple threat actors are still ongoing. Many of these attacks attempted to deliver malware to vulnerable IoT devices. Most of the malware samples belong to Mirai, Gafgyt, and Mozi families.

Advertisements

Researchers observed a new distributed IoT DDoS botnet developed in Golang, tracked as RedGoBot.

  • In the first campaign observed in early September 2022, when the threat actor tried to deliver a shell script znet.sh downloader from 185.216.71[.]157 utilizing wget.
  • In the second campaign, which was observed in November 2022, when the threat actor used a shell script with wget and curl to download the following botnet clients from 185.246.221[.]220

The analysis of the attacks in the wild revealed the use of the following three types of payloads:

  • A script executes a shell command on the targeted server (mostly from the Mirai).
  • An injected command directly writes the binary payload to a file and then executes it.
  • An injected command directly reboots the targeted server to trigger a denial-of-service condition

The flaw affects almost 190 models of devices from 66 different manufacturers and the origin from the U.S., Vietnam, and Russia. But the use of Proxy VPN is also not ruled out. This surge can result in a possible supply chain attack which is difficult to detect and remediate.

This research was documented by researchers for Palo Alto

Advertisements

Indicators of Compromise

  • 3ee4bd2f330bf6939cb9121f36261e42f54ffc45676120216fd8da4cb52036a
  • 9dfaa2e60027427c9f1ff377ad3cd3bc800b914c4b9ea5e408442d25f475dab9
  • 24d6cd113c9ddf49cb6140d2cc185f2cc033170ac27e2c352d94848cc449c312
  • caa8b10057fb699d463f309913d0557462e8b37afdaf4d0c3cff63f9b9605f0d
  • fd7da924fe743d2e09b10f4e8a01230f7bc884ae14ef0e6133e553de118a457e
  • 0c734c8c0f8e575a08672d01fc5a729605b3e9dbb4d0c62bd94ad86d2c3d6aeb
  • 85b07054472bbaa06d0611dfb28632ffa351d3b13e37b447914f49a1dfe07dc4
  • a5478d51a809aed51d633611371c105e3ec82490f9516d186e7013dabcf8c77f
  • bf9d92666d3b25cf6e49234472a2fa515107eb6df07f4aee6deb6a42eed4fa92
  • 16787be5e8d7de5816d590efb4916c7415f458bc7059d2d287715fb3ef8e0783
  • 67a655d4360cfe0ca5db17c6486f3dfbca1c82c2af4bc1f2019cee68199108c7
Tags:

Leave a Reply

You may have missed

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023

MGM Resorts and Ceasars Attacks – Lesson Learnt

September 23, 2023

CISA KEV Update September 2023 – Part II

September 23, 2023

Air Canada Reveals Data Exposure due to a Cyberattack

September 23, 2023

SandMan APT Group in action against Telcos

September 22, 2023
%d bloggers like this: