Hacker Exploiting Authentication Bypass Bug On Millions Of Routers. — CyberWorkx

Researchers from Juniper threat labs have identified that the threat actors are exploiting a new authentication bypass bug on Arcadyan firmware and deploy Mirai botnet payloads.

The vulnerability which was identified by Tenable was released to public on August 3, 2021 with the CVE-2021–20090 is affecting millions of home routers varying from multiple routers vendors which are using the same code base of Arcadyan firmware.

“ CVE-2021–20090 is a path traversal vulnerability that leads to an authentication bypass. When exploited, the attacker can take over control of the affected device.The attacker seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar in name to the ones mentioned by Palo Alto Networks in March. “ reads the report published by Juniper threat labs.

Tenable researchers has posted a short demonstration of POC for this vulnerability on WSR-2533DHPL2.

Below are the list of router/ vendors which are vulnerable for this attack.

“ As of August 5, we have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China. The attacker seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar in name to the ones mentioned by Palo Alto Networks in March. “

“ We had witnessed the same activity starting February 18. The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability. “ reads the blog post from Juniper threat lab.

Researchers also observed that other vulnerabilities are also exploited in the wild on routers:

1. CVE-2020–29557 (DLink routers)
2. CVE-2021–1497 and CVE-2021–1498 (Cisco HyperFlex)
3. CVE-2021–31755 (Tenda AC11)
4. CVE-2021–22502 (MicroFocus OBR)
5. CVE-2021–22506 (MicroFocus AM)
6. a couple more exploits from exploit-db with no related CVEs.

Indicators of Compromise:

Attack source IP: 27.22.80[.]19

Shell script and binaries downloaded from: 212.192.241[.]72

Shell script:
9793ac5afd1be5ec55476d2c205260d1b7af6db7cc29a9dc0f7fbee68a177c78 lolol.sh

Dark binaries:

73edf8bfbbeaccdd84204f24402dcf488c3533be2682724e5906396b9237411d

dark.arm5

8bb454cd942ce6680f083edf88ffa31661a47a45eb3681e1b36dd05043315399

dark.mips

f83eadaa00e81ad51e3ab479b900b981346895b99d045a6b6f77491c3132b58c

dark.m68k

e4bc34e321b31926fd2fa1696136187b13864dfa03fba6848e59f9f72bfa9529

dark.sh4

80331cf89f3e6026b33b8f1bfa1c304295b9327311661d7927f78824f04cf528

dark.arm6

904f9b2e029595365f4f4426069b274810510908c7dd23a3791a831f51e9f1fc

dark.mpsl

283f932f30756408a59dac97a6965eb792915242214d590eab1c6cb049148582

dark.x86

c2f5bbf35afc7335f789e420c23c43a069ecfcca1a8f9fac5cd554a7a769440e

dark.arm7

70764ef9800c1d09f965fbb9698d0eda52448b23772d118f2f2c4ba37b59fc20

dark.ppc

— For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Originally published at https://cyberworkx.in on August 9, 2021.