IoT Botnet Attack Hundreds of Thousands of Realtek Chipset Based Devices

The IoT security firm, SAM has recently discovered a dangerous botnet attacking devices using the Realtek chipsets. 

Not only this even this chipset is used by more than 65 vendors, which implies hundreds of thousands of smart devices are vulnerable to this security flaw.

Last week all these attacks were initiated which were reported and found by the fellow security firm, IoT Inspector. They claimed that this bug affected about a million devices which include the following devices:-

• Travel routers
• Wi-Fi repeaters
• IP cameras for lightning gateways
• Smart toys
• Smart lights

In total, there are more than 200 models of at least 65 vendors that are vulnerable, including the following brand names:-

• AIgital
• ASUSTek
• Beeline
• Belkin
• Buffalo
• D-Link
• Edimax
• Huawei
• LG
• Logitec
• MT-Link
• Netis
• Netgear
• Occtel
• PATECH
• TCL
• Sitecom
• TCL
• ZTE
• Zyxel
• Realtek’s own line of routers

According to the cybersecurity experts of SAM security firm, just three days after the IoT Inspector experts disclosed information about the vulnerabilities, all these attacks on the discovered problems were raised.

Most Dangerous flaw

The most dangerous flaw found by the researchers is tracked as, CVE-2021-35395 which has achieved a CVSS score of 9.8 out of 10.

This security flaw allows threat actors to connect to the web panel using a malformed URL, bypass authentication, and run malicious code with the most powerful prerogatives remotely.

In a web panel, the security bug that resides is used to configure the SDK/device. However, Realtek has already released the patches the day before the IoT Inspector released their research analysis, so, it’s not enough time for the device vendors to roll out the updates.

For this reason only, still, there are the vast majority of devices using outdated firmware, and that’s why they will remain vulnerable to such attacks.

Common Devices With the Realtek SDK

Apart from this, the security firm, SAM also mentioned the devices that most often found the network, and here they are mentioned below:-

• Netis E1+ extender
• Edimax N150 and N300 Wi-Fi router
• Repotec RP-WR5444 router

Moreover, the cybersecurity researchers of SAM security firm affirmed that all the vulnerable devices are attacked by the same Mirai-based botnet, it’s the same one which is seen recently in the attacks on devices with Arcadyan firmware.

IOCs

IP addresses – 31.210.20[.]100, 212.192.241[.]87

Files –

Filename	Hash (sha256)
dark.x86	a3ee4bd2f330bf6939cb9121f36261e42f54ffc45676120216fd8da4cb52036a
dark.mips	9dfaa2e60027427c9f1ff377ad3cd3bc800b914c4b9ea5e408442d25f475dab9
dark.mpsl	24d6cd113c9ddf49cb6140d2cc185f2cc033170ac27e2c352d94848cc449c312
dark.arm4	caa8b10057fb699d463f309913d0557462e8b37afdaf4d0c3cff63f9b9605f0d
dark.arm5	fd7da924fe743d2e09b10f4e8a01230f7bc884ae14ef0e6133e553de118a457e
dark.arm6	0c734c8c0f8e575a08672d01fc5a729605b3e9dbb4d0c62bd94ad86d2c3d6aeb
dark.arm7	85b07054472bbaa06d0611dfb28632ffa351d3b13e37b447914f49a1dfe07dc4
dark.ppc	a5478d51a809aed51d633611371c105e3ec82490f9516d186e7013dabcf8c77f
dark.m68k	bf9d92666d3b25cf6e49234472a2fa515107eb6df07f4aee6deb6a42eed4fa92
dark.sh4	16787be5e8d7de5816d590efb4916c7415f458bc7059d2d287715fb3ef8e0783
dark.86_64	67a655d4360cfe0ca5db17c6486f3dfbca1c82c2af4bc1f2019cee68199108c7

Follow us on Linkedin, Twitter, Facebook for daily Cybersecurity News & Updates