Cybercriminals using an IP address in China are trying to exploit a vulnerability disclosed earlier this month to deploy a variant of the Mirai malware on network routers affected by the vulnerability, according to researchers with Juniper Threat Labs.
In a recent blog post, the researchers said the bad actors are looking to leverage a path traversal vulnerability that could affect millions of home routers and other Internet of Things (IoT) devices that use the same code base and are manufactured by at least 17 vendors.
The discovery by the Juniper researchers of the exploit attempts came two days after security experts from cybersecurity vendor Tenable first disclosed the vulnerability, which is tracked by CVE-2021-20090. The exploit attempts are an indication not only of the threat the vulnerability poses but also how much attention cybercriminals pay to disclosed vulnerabilities, the Juniper researchers wrote.
The threat is only heightened when it involves IoT devices, they wrote.
“Whenever an exploit POC [proof of concept] is published, it often takes them very little time to integrate it into their platform and launch attacks,” the researchers wrote. “Most organizations do not have policies to patch within a few days, taking sometimes weeks to react. But in the case of IOT devices or home gateways, the situation is much worse as most users are not tech savvy and even those who are do not get informed about potential vulnerabilities and patches to apply.”
The only way to mitigate this is by requiring vendors to offer zero-downtime automatic updates, they wrote.
Tenable First to Disclose Flaw
Tenable first disclosed the persistent vulnerability in a white paper, noting that it was seen in routers provided by at least 13 internet service providers (ISPs) in 11 countries. A path traversal vulnerability enables attackers to bypass authentication to the web interface, which could be used to access other devices on a home or corporate network. Essentially the bad actors can take over control of a device, with Tenable showing how a modified configuration can enable telnet on a vulnerable router and give cybercriminals root level shell access.
Juniper researchers said they discovered the active exploitation of the vulnerability only two days after Tenable’s disclosure Aug. 3. Common in all the affected devices is firmware from Arcadyan, a communications device maker.
On Aug. 5, Juniper researchers discovered attack patterns that were trying to exploit the vulnerability coming from an IP address located in Wuhan, China. The attackers apparently were trying to deploy a Mirai variant on affected devices. Mirai malware enables users to take control of victimized networked devices and leverage them in large scale attacks on networks in such campaigns as distributed denial-of-service (DDoS) attacks.
A Pattern of Exploits
The attackers were using scripts that were similar to ones researchers at Palo Alto Networks’ Unit 42 group wrote about in a March report, noting that cybercriminals in late February were trying to exploit a vulnerability just hours after the details were published to deploy a Mirai variant and that the same samples were served from another IP address about two weeks later.
The Juniper researchers said they had seen the same activity beginning Feb. 18.
“The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,” they wrote. “Given that most people may not even be aware of the security risk and won’t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out.”
Should Updates Be Automated?
From June 6 through July 23, researchers also saw the same threat actor exploiting more than a half-dozen other vulnerabilities involving such systems as DLink routers, Cisco Systems’ HyperFlex hyperconverged infrastructure, Tenda AC11 Wi-Fi routers and networking components from Micro Focus, demonstrating that “the group has been continuously adding new exploits to its arsenal.”
Sean Nikkel, senior cyber threat intel analyst at digital risk protection provider Digital Shadows, said it’s concerning that the threat actor behind all this activity is so quickly weaponizing multiple exploits.
“In probably the worst-case scenario, an attacker could use a chain of exploits to gain access to other network devices, as well as any network storage or servers and computers attached to the network,” Nikkel told eSecurity Planet. “Updating and patching home network devices may not be feasible for end users because of either time or skills required, and thus, the vulnerabilities continue to survive on a network. As the Juniper report mentioned, this is decidedly a great case to argue about hardware manufacturers pushing updates automatically rather than waiting for users to go about it themselves.”
Multiple Threats
The most recent case outlined by Juniper researchers could pose multiple threats, according to Jake Williams, co-founder and CTO of BreachQuest, an incident response firm. One threat could come from isolated cases of targeted attacks, Williams told eSecurity Planet.
“A threat actor that compromises a router can run full man-in-the-middle attacks on all traffic passing through it,” he said. “But the more likely scenario is a threat actor using these devices as part of a botnet, which could be used for distributed vulnerability scanning, exploitation, password guessing, or in the most likely case DDoS.”
That said, access to the admin user interface is needed to exploit the vulnerability, and most routers sold today don’t expose the interface to the public internet by default, according to Williams. However, some administrators may enable this setting to get more granular help from their IT staff, he said, adding that “it’s unlikely that this is contributing substantially to the vulnerable population that is exposed.”
Network Vulnerability Assessment Difficult
Vulnerabilities like these highlight the difficulty in assessing network problems, according to Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber, a risk remediation firm.
“Instead of securing a handful of networks, network security teams are now worried about a remote workforce and the hundreds and thousands of network-based attack vectors that they have limited control over,” Bar-Dayan told eSecurity Planet, noting that a survey last month by his company found that 76 percent of 200 enterprise IT security executives question said that IT vulnerabilities had impacted their business in the last year.
In addition, 90 percent of respondents said they scan IT infrastructure for vulnerabilities and 52 percent said corporate networks and workstations.
The problem, according to BreachQuest’s Williams, is there isn’t much enterprises can do about such threats. Most bad actors will use compromised devices to perform distributed vulnerability scanning, exploitation, password guessing or DDoS.
“Any organizations waiting on a vulnerability like this to implement good security hygiene probably have bigger cybersecurity issues already,” he said. “ISPs can limit the ability to administer these devices remotely by blocking the required ports. Some do for residential customers, but that can create support issues where remote IT can no longer help users support the devices. In any case, the devices are still vulnerable via other avenues such as CSRF [cross-site request forgery]. In any case, many people working from home due to the pandemic upgraded to business-class Internet, which typically has no ports that are blocked. The responsibility here must lie with the end users.”
