Cybercriminals using an IP address in China are trying to exploit a vulnerability discovered earlier this month to install a variant of Mirai malware on vulnerable network routers, according to researchers at Juniper Threat Labs.

In a recent blog post, researchers said bad actors are looking to exploit a vulnerability that could affect millions of home routers and other Internet of Things (IoT) devices that use the same code base and are produced by at least 17 retailers Me

The discovery by Juniper searchers of exploitation efforts came two days after security experts from cyber security vendor Tenable first discovered the vulnerability, which is being tracked by CVE-2021-20090. Exploitation efforts are an indicator not only of the threat posed by vulnerability, but also how much cybercriminals pay attention to the vulnerabilities discovered, write Juniper researchers.

The threat only increases when it involves IoT devices, they write.

“Every time a POC exploits [proof of concept] has been published, they often need very little time to integrate it into their platform and launch attacks, ”the researchers write. “Most organizations do not have policies to patch up within a few days, sometimes taking weeks to react. But in the case of IoT devices or home gates, the situation is much worse as most users are not technology experts and even those who are not aware of the potential vulnerabilities and patches to apply. “

The only way to mitigate this is by asking vendors to offer automatic updates in downtime, they write.

Stable first to detect the flaw

Tenable first discovered persistent vulnerability in a white paper, noting that it was seen on routers provided by at least 13 Internet Service Providers (ISPs) in 11 countries. A vulnerability in the route allows attackers to bypass the authentication on the Internet interface, which can be used to access other devices on a home or corporate network. Basically bad actors can take control of a device, with Tenable showing how a modified configuration can enable telnet on a vulnerable router and give cybercriminals access to the root level of the shell.

Juniper researchers said they discovered active exploitation of the vulnerability just two days after the discovery of Tenable on August 3rd. Common to all affected devices is firmware from Arcadyan, a maker of communication devices.

On August 5, Juniper researchers discovered attack patterns that were trying to exploit the vulnerability that came from an IP address located in Wuhan, China. The attackers were apparently trying to place a Mirai variant on the affected devices. Malware Mirai enables users to take control of victimized network devices and use them in large-scale network attacks on campaigns such as denial of service (DDoS) attacks.

An exploitation model

The attackers are using scripts that were similar to those of researchers in Palo Alto Networks’ Group 42 in a March report, noting that cybercriminals in late February were trying to exploit a vulnerability just hours after details were released. to set up a Mirai variant and that the same samples were served from another IP address about two weeks later.

The Dellinja researchers said they had seen the same activity starting on February 18th.

“The resemblance may indicate that the same threatening actor is behind this new attack and is trying to improve their infiltration arsenal with another newly discovered vulnerability,” they write. “Given that most people may not be aware of the security risk and will not update their device soon, this attack tactic can be very successful, cheap and easy to perform. “

Should updates be automated?

From June 6 to July 23, the researchers also saw the same threatening actor exploiting more than a dozen other vulnerabilities that included systems such as DLink routers, Cisco Systems HyperFlex hyperconverged infrastructure, Tenda AC11 Wi-Fi routers, and network components from Micro Focus, demonstrating that “the group has constantly added new uses to its arsenal”.

Sean Nikkel, senior intelligence analyst of cyber threats at digital risk protection provider Digital Shadows, said it is worrying that the threatening actor behind all this activity is arming so many exploits so quickly.

“Perhaps in the worst case scenario, an attacker could use a chain of exploits to gain access to other network devices, as well as any network storage or servers and computers attached to the network,” Nikkel said. Planet eSecurityWith “Updating and patching home network equipment may not be feasible for end users due to the time or capabilities required, and thus, vulnerabilities continue to survive in a network. As mentioned in the Juniper report, this is definitely a great opportunity to argue about device manufacturers pushing updates automatically instead of waiting for users to act on their own. “

Multiple threats

The latest case described by Juniper researchers could pose multiple threats, according to Jake Williams, co-founder and CTO of BreachQuest, an incident response firm. A threat could come from isolated cases of targeted attacks, Williams said Planet eSecuritywith

“A threat actor compromising a router can carry out full-blown human attacks in the middle of all the traffic passing through it,” he said. “But the most likely scenario is a threatening actor using these devices as part of a botnet, which could be used to scan for distributed vulnerabilities, exploit, guess the password, or in the most likely case DDoS.”

That said, access to the administrator user interface is necessary to exploit the vulnerability, and most routers sold today do not expose the interface to the public Internet by default, according to Williams. However, some administrators may enable this environment to receive more detailed assistance from their IT staff, he said, adding that “this is unlikely to contribute significantly to the vulnerable population that is exposed.”

Assessing network vulnerability difficult

Weaknesses like these highlight the difficulty in assessing network problems, according to Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber, a risk improvement firm.

“Instead of securing a handful of networks, network security teams are now concerned about a remote workforce and hundreds of thousands of network-based attack vectors over which they have limited control,” Bar-Dayan said. for eSecurity Planet, noting that a recent month-long survey by his company found that 76 percent of the 200 security executives of IT security companies said IT weaknesses had affected their business last year.

Moreover, 90 percent of respondents said they scan IT infrastructure for vulnerabilities and 52 percent said corporate networks and workstations.

The problem, according to Williams of BreachQuest, is that there are not many companies that can make such threats. Most bad actors will use compromised devices to perform distributed vulnerability scanning, exploitation, password guessing or DDoS.

“Any organization that expects a vulnerability like this to implement good security hygiene is likely to already have bigger cyber security issues,” he said. “ISPs may limit the ability to manage these devices remotely by blocking required ports. Some do for residential clients, but this can create support issues where remote IT can not help users support the devices. anyway, the devices are still vulnerable through other avenues such as CSRF [cross-site request forgery]With In any case, many people working from home due to the pandemic were upgraded to business class internet, which usually has no blocked ports. The responsibility here should be on the end users. ”