Hackers have leveraged a critical remote code execution vulnerability in Realtek Jungle SDK 134 million attacks trying to infect smart devices in the second half of 2022.
Exploited by multiple threat actors, the vulnerability is tracked as CVE-2021-35394 and comes with a severity score of 9.8 out of 10.
Between August and October last year, sensors from Palo Alto Networks observed significant exploitation activity for this security issue, accounting for more than 40% of the total number of incidents.
High exploitation levels
Starting September 2022, a new sizable botnet malware named ‘RedGoBot’ appeared in the wild targeting IoT devices vulnerable to CVE-2021-35394.
Researchers at Unit 42, Palo Alto Network’s threat intelligence team, noticed that exploitation of the flaw continued throughout December.
Three different payloads were delivered as a result of these attacks:
- a script that executes a shell command on the target server to download malware
- an injected command that writes a binary payload to a file and executes it
- an injected command that reboots the server
Most of these attacks originate from botnet malware families like Mirai, Gafgyt, Mozi, and derivatives of them. In April 2022, the Fodcha botnet was spotted exploiting CVE-2021-35394 for distributed denial-of-service (DDoS) operations.
The RedGoBot also used the vulnerability for DDoS purposes in attacks in September. The botnet can perform DDoS attacks on HTTP, ICMP, TCP, UDP, VSE and OpenVPN protocols and supports a variety of flooding methods.
Unit 42 logged activity leveraging CVE-2021-35394 from all over the world but almost half of the attacks originated from the United States.
However, using VPNs and proxies may obscure the actual source, as threat actors prefer using U.S.-based IP addresses to evade blocklists.
Attack trends for CVE-2021-35394 (Unit 42)
“From August 2021 to December 2022, we have observed 134 million exploit attempts in total, targeting CVE-2021-35394, with 97% of these attacks occurring after the start of August 2022,” reads Unit 42’s report.
“More than 30 international regions were involved as the attack origins, with the United States being the largest source of attacks at 48.3% of the total. Vietnam, Russia, The Netherlands, France, Luxembourg, and Germany were also found to be in the top seven countries from which we observed threat actors taking part in these attacks” – Palo Alto Networks Unit 42
Realtek SDK flaw details
CVE-2021-35394 is a critical (CVSS v3: 9.8) vulnerability in Realtek Jungle SDK version 2.x to 3.4.14B, caused by multiple memory corruption flaws that allow remote unauthenticated attackers to perform arbitrary command injection.
Realtek fixed the flaw on August 15, 2021, along with other critical severity flaws like CVE-2021-35395, which was extensively targeted by botnets that incorporated exploits mere days after its disclosure, and as recently as last December.
Realtek chipsets are omnipresent in the IoT world, and even when the Taiwanese chip maker pushes security updates to address problems in its products quickly, supply chain complexities delay their delivery to end users.
Also, users often neglect firmware updates even when those become available from their device vendors, and many treat IoT devices with the “set and forget” mindset.
Vendors impacted by CVE-2021-35394 (Unit 42)
A surge in exploiting CVE-2021-35394 almost more than a year after Realtek released security fixes indicates that remediation efforts are lagging and the blame for this is shared between vendors and the end user.
Some of the vulnerable devices may no longer be supported. In some cases, vendors may have released an update with a fix but users failed to install it. Users should check if their devices are impacted and if there are available security patches that address CVE-2021-35394.
If your device has already been infected, the recommendation is it to perform a factory reset, set a strong administrator password, and then apply all the available firmware updates.
Exploiting CVE-2021-35394 is expected to stay at high levels in the first half of 2023 due to the complexities in supply chain patching that cause massive delays in managing the security problem.