Researchers from Juniper threat labs have identified that the threat actors are exploiting a new authentication bypass bug on Arcadyan firmware and deploy Mirai botnet payloads.
The vulnerability which was identified by Tenable was released to public on August 3, 2021 with the CVE-2021-20090 is affecting millions of home routers varying from multiple routers vendors which are using the same code base of Arcadyan firmware.
“CVE-2021-20090 is a path traversal vulnerability that leads to an authentication bypass. When exploited, the attacker can take over control of the affected device.The attacker seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar in name to the ones mentioned by Palo Alto Networks in March. ” reads the report published by Juniper threat labs.
Tenable researchers has posted a short demonstration of POC for this vulnerability on WSR-2533DHPL2.
Below are the list of router/ vendors which are vulnerable for this attack.
“As of August 5, we have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China. The attacker seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar in name to the ones mentioned by Palo Alto Networks in March. “
“We had witnessed the same activity starting February 18. The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability.” reads the blog post from Juniper threat lab.
Researchers also observed that other vulnerabilities are also exploited in the wild on routers:
- CVE-2020-29557 (DLink routers)
- CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)
- CVE-2021-31755 (Tenda AC11)
- CVE-2021-22502 (MicroFocus OBR)
- CVE-2021-22506 (MicroFocus AM)
- a couple more exploits from exploit-db with no related CVEs.
Indicators of Compromise:
Attack source IP: 27.22.80[.]19
Shell script and binaries downloaded from: 212.192.241[.]72
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1