Skip links

Mirai-style IoT botnet is now scanning for router-pwning critical vuln in Realtek kit

A denial-of-service vulnerability affecting SDKs for Realtek chipsets used in 65 vendors’ IoT devices has been incorporated into a son-of-Mirai botnet, according to new research.

The remote code execution flaw, CVE-2021-35395, was seen in Mirai malware binaries by threat intel firm Radware, which “found that new malware binaries were published on both loaders leveraged in the campaign.”

Warning that the vuln had been included in Dark.IoT’s botnet “less than a week” after it was publicly disclosed, Radware said: “This vulnerability was recently disclosed by IoT Inspectors Research Lab on August 16th and impacts IoT devices manufactured by 65 vendors relying on the Realtek chipsets and SDK.”

The critical vuln, rated 9.8 on the CVSS scale, consists of multiple routes to cause buffer overflows (PDF from Realtek with details) in the web management interface provided by Realtek in its Jungle SDK for its router chipset. CVE-2021-35395 is a denial-of-service vuln; crafted inputs from an attacker can be used to crash the HTTP server running the management interface, and thus the router.

“They can kill it, but they also can infect it with malware,” said Radware researcher David Smith.

Nicknamed Dark.IoT by Radware, the Mirai variant’s operators had been reported upon by Palo Alto Networks and by Juniper Threat Labs earlier this year, with Juniper warning that a two-day-old vuln had been deployed into Dark.IoT’s software nasty.

The latest incorporation of the DoS vuln into the botnet relies on a path traversal vulnerability combined with a configuration file injection. Radware’s Smith told The Register: “This operator is sophisticated in comparison with [script kiddies].”

Rather than having the capability to develop its own exploits, Dark.IoT sits around waiting for white hats to publish proof-of-concepts for newly discovered vulns, and Smith said they incorporate those into their botnet within “days.”

Sectigo CTO Jason Soroko recently told El Reg that the Mozi IoT botnet, a P2P network which also targets consumer IoT devices similarly to Dark.IoT, targets an inherent and long-standing problem with consumer routers; they’re not easy for non-technical users to reflash new firmware onto them. Smith agreed.

While Realtek has patched the vulns in the SDK, vendors using its white-label tech now have to distribute patches for their branded devices and then users have to install them – all while Dark.IoT and other Mirai-based criminals are looking for exploitable devices.

Large companies such as Microsoft, Smith added, end up playing “whack a mole” with botnet gangs as a result. He said that Dark.IoT is having to rebuild its command-and-control infrastructure every month or so thanks to determined takedowns.

Meanwhile, the malware is continuing to evolve. “As reported by both Palo Alto Networks and Juniper Threat Labs,” said Radware in a blog post shared with The Register, “the operators behind this campaign are dedicated to finding and leveraging new exploits to capture more vulnerable devices that can be leveraged to launch more significant DDoS attacks.”

“It is expected that the operators behind Dark.IoT will continue this pattern of rapidly leveraging recently disclosed vulnerabilities for the remainder of 2021,” concluded a rather glum Radware. ®