Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Malware exploited critical Realtek SDK vulnerability in millions of attacks

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity level: Critical (Common Vulnerability Scoring System (CVSS) v3 score – 9.8) – Compromise may result in the loss of confidentiality and integrity of data in the first instance.

Threat actors were detected to have leveraged a critical remote code execution (RCE) vulnerability within the UDPServer in Realtek Jungle SDK. An estimated 134 million related attacks occurred throughout quarters 3 and 4 of 2022, accounting for over 40% of the total number of incidents within that time period. The vulnerability is tracked as CVE-2021-35394.

The ‘RedGoBot’ botnet malware appeared to target Internet of Things (IoT) devices that were vulnerable to CVE-2021-35394, starting in September 2022, a trend that has continued until the time of writing. More specifically, three separate payloads were found to have been delivered as a result of the exploit, namely:

  • A script that executed a shell command on the target server to download malware
  • A command injection that wrote a binary payload to a file
  • A command injection that rebooted the target server.

Moreover, the attacks related to the vulnerability originated via the following additional botnet malware families:

  • Mirai
  • Gafgyt
  • Mozi
  • Fodcha.

The RedGoBot and Fodcha botnet families utilised the vulnerability exploit in order to implement Distributed Denial of Service (DDoS) attacks against the HTTP, ICMP, TCP, UDP, VSE and OpenVPN protocols. Although these attacks emerged globally, approximately 50% were geo-located to the US.

Impact

Successful exploitation of the vulnerability allows remote unauthenticated threat actors to perform arbitrary injection commands, as a result of multiple memory corruption flaws.

Vulnerability Detection

Windows have patched the aforementioned vulnerability within the respective product versions for supported devices. As such, previous versions are vulnerable to the potential exploits.

Affected Products

Realtek Jungle SDK versions 2.x – 3.4.14B

Containment, Mitigations & Remediations

A portion of vulnerable devices may no longer be supported. In some instances, vendors may have released an update with remediation steps but with users failing to proceed to instalment. It is highly recommended that users determine whether or not their devices are impacted by the vulnerability and if there are appropriate security patches available.

If your device has already been infected, it is recommended that the following mitigation steps are adhered to:

  1. Perform a factory reset
  2. Set a strong administrator password
  3. Apply all the available firmware updates.

Indicators of Compromise

IP addresses:

  • 199[.]195[.]251[.]190
  • 172[.]81[.]41[.]196
  • 103[.]149[.]137[.]124
  • 103[.]149[.]137[.]138
  • 46[.]249[.]32[.]181
  • 69[.]67[.]150[.]36
  • 103[.]149[.]137[.]192
  • 45[.]125[.]236[.]14
  • 173[.]247[.]227[.]66
  • 173[.]247[.]227[.]70
  • 185[.]122[.]204[.]30
  • 45[.]95[.]55[.]188
  • 2[.]58[.]113[.]79
  • 45[.]95[.]55[.]24
  • 45[.]95[.]55[.]218
  • 45[.]95[.]55[.]189
  • 193[.]142[.]146[.]35
  • 37[.]139[.]129[.]11
  • 78[.]135[.]85[.]70
  • 45[.]137[.]21[.]166
  • 195[.]178[.]120[.]183
  • 195[.]133[.]81[.]29
  • 5[.]253[.]246[.]67
  • 45[.]61[.]184[.]133
  • 45[.]61[.]184[.]118
  • 149[.]5[.]173[.]33
  • 163[.]123[.]143[.]226
  • 45[.]61[.]188[.]148
  • 103[.]207[.]38[.]165
  • 45[.]13[.]227[.]115
  • 176[.]97[.]210[.]147
  • 163[.]123[.]143[.]200
  • 185[.]44[.]81[.]62
  • 38[.]22[.]109[.]7
  • 147[.]182[.]132[.]144
  • 205[.]185[.]126[.]88
  • 209[.]141[.]51[.]43
  • 198[.]98[.]52[.]213
  • 45[.]95[.]55[.]185
  • 20[.]249[.]89[.]181
  • 3[.]235[.]28[.]168

Callback URLs:

  • hxxp://185.205.12[.]157/trc/TRC[.]mpsl
  • hxxp://172.81.41[.]196/trc/TRC[.]mpsl
  • hxxp://135.148.104[.]21/mipsel
  • hxxp://199.195.251[.]190/trc/TRC[.]mpsl
  • hxxp://37.44.238[.]178/d/xd[.]mpsl
  • hxxp://176.97.210[.]135/assailant[.]mpsl
  • hxxp://198.98.56[.]129/trc/TRC[.]mpsl
  • hxxp://141.98.6[.]249/billy[.]sh
  • hxxp://185.216.71[.]157/Bins_Bot_hicore_mipsle

Threat Landscape

Realtek chipsets are utilised ubiquitously within the IoT realm. Even when the chip manufacturer releases security updates to address vulnerabilities in its product line, supply chain complexities delay their delivery to end users. Further, it has been reported that users often neglect firmware updates, even when they become available from their respective device vendors.

Exploitation of CVE-2021-35394 is expected to remain at prominent levels throughout the first half of 2023 due to the complexities in supply chain patching and the resulting delays in managing security issues. Due to the fact that IoT devices are often not considered as a pertinent aspect of an organisation’s security posture, many devices and organisations remain at risk.

Threat Group

CVE-2021-35394 affects approximately 190 models of devices, via 66 specific manufacturers. As such, it is likely that threat actors will continue to attempt to target Realtek devices, resulting in it being crucial that the recommended mitigation steps are followed.

Mitre Methodologies

  • T1210 – Exploitation of Remote Services
  • T1202 – Indirect Command Execution
  • T1499 – Endpoint Denial of Service
  • T1584.005 – Compromise Infrastructure: Botnet
  • T1583.005 – Acquire Infrastructure: Botnet

Further Information

Intelligence Terminology Yardstick