On August 3, a Tenable researcher detailed how he successfully exploited a flaw in millions of routers. Even though the vulnerability has been fixed thanks to his work, for more than 3 months, cybercriminals have been able to use his demonstration to launch a wave of attacks.
On August 5, researchers at Bad Packets observed unusual behavior from a group of cybercriminals whose activity they tracked: they were scanning the internet for routers vulnerable to a flaw discovered and fixed in April. The next day, the Juniper Threat Lab observed the same phenomenon. The common denominator of the targeted routers was their use of firmware [un type de logiciel, ndlr] developed by Arcadyan.
As of 2021-08-05T04: 09: 44Z, DDoS botnet operators are scanning the internet for Buffalo routers vulnerable to CVE-2021-20091 (https://t.co/OyZT3Be2SP).
This vulnerability allows attackers to alter device configuration leading to remote code execution. #threatintel
– Bad Packets (@bad_packets) August 5, 2021
The gang behind the maneuver specializes in selling DDoS (denial of service) attacks, which involve bringing down a device by overloading it with connections. To achieve this, it relies on a botnet, a fleet of thousands of “zombie” devices that it has assembled and with which it can launch a coordinated attack. More specifically, the group corrupts connected objects using a variant of the Mirai malware, a widely used viral strain.
The objective of the maneuver spotted by the researchers was precisely to find new devices to infect in order to strengthen their botnet. The scanned vulnerability, CVE-2021-20090, allows bypassing the authentication process, and thus allows the hacker to connect to the router remotely. Once authenticated, the attacker will be able to launch his own code on the machine. In the jargon, we will speak of an RCE (Remote Code Execution): concretely, the hacker will be able to manipulate the device at his leisure from home, and use it as a platform for the dissemination of the Mirai variant. He will be able to access all the connected objects of the local network, and attempt to corrupt them.
Millions of affected devices
Routers are prime targets since they are in charge of the gateway between the Internet and your Wi-Fi network: it is they, for example, who are responsible for your Wi-Fi network. This is one of the reasons why that the CVE-2021-20090 was rated 9.9 / 10 on the criticality scale, in addition to its ease of operation.
As detailed in the Juniper Threat Lab, the vulnerable Arcadyan firmware equips 20 router models from 17 different brands, including Asus, Orange, Verizon and Vodafone. In other words, millions of routers, present in homes in dozens of different countries, are vulnerable to attack. And these millions of routers themselves provide access to tens of millions of connected devices. But according to the table presented by the researchers, the French Internet box models would be spared by the flaw. The Orange box concerned, the Fibra Livebox, is only used in Spain, for example.
The flaw was not exploited until researchers spoke about it
The vulnerability has followed a strange route to say the least. Tenable discovered it earlier this year, then spoke publicly about it in late April, after fixes were deployed. According to the researchers, the flaw had existed for “ at least 10 years This is why so many router models, built on the basis of Arcadyan’s white label firmware, are vulnerable to it.
But although critical and widespread, the flaw had never been exploited … until August 3. Evan Grant from Tenable then wrote a technical article in which he details his proof of concept, a kind of explanatory note of how he exploited the vulnerability. It did not take more for the cybercriminals to seize it and find a way to apply it on a large scale two days later, taking advantage that the firmware of the routers was not always up to date.
Admittedly, the specific case presented in Grant’s article does not necessarily work for all vulnerable models. But some cybercriminals have the in-house skills to tailor it, if that’s the case.
The good news is that the patch to protect yourself from hackers already exists. The problem, as researchers from the Juniper Threat Lab interviewed by the Bleeping Computer recall, is that most of the people affected are not even aware of the attack, and will not deploy the patch.