Experts warn of a surge of attacks exploiting a Realtek Jungle SDK RCE (CVE-2021-35394)

Pierluigi Paganini January 26, 2023

Experts warn of a spike in the attacks that between August and October 2022 attempted to exploit a Realtek Jungle SDK RCE (CVE-2021-35394).

Palo Alto Networks researchers reported that between August and October 2022 the number of attacks that attempted to exploit a Realtek Jungle SDK RCE (CVE-2021-35394) (CVSS score 9.8) accounted for more than 40% of the total number of attacks.

“Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.” reads the description for this flaw.

As of December 2022, experts observed 134 million exploit attempts in total leveraging this flaw, and about 97% of these attacks occurred after the start of August 2022.

 CVE-2021-35394 Realtek SDK

The experts warned that the attacks conducted by multiple threat actors are still ongoing.

A large number of these attacks attempted to deliver malware to vulnerable IoT devices. Most of the malware samples analyzed by the researchers belong to MiraiGafgyt and Mozi families. Palo Alto Networks also observed a new distributed IoT denial-of-service (DDoS) botnet developed in Golang, tracked as RedGoBot. The RedGoBot botnet was involved in multiple campaigns, the first one observed in early September 2022, when the threat actor tried to deliver a shell script znet.sh downloader from 185.216.71[.]157 utilizing wget.

A second RedGoBot campaign was observed in November 2022, when the threat actor used a shell script with wget and curl to download the following botnet clients from 185.246.221[.]220.

The RedGoBot can perform DDoS attacks on HTTP, ICMP, TCP, UDP, VSE and OpenVPN protocols.

It has been estimated that the flaw CVE-2021-35394 affects almost 190 models of devices from 66 different manufacturers.

The analysis of the attacks in the wild revealed the use of the following three types of payloads:

  • A script executes a shell command on the targeted server (mostly from the Mirai).
  • An injected command directly writes the binary payload to a file and then executes it. 
  • An injected command directly reboots the targeted server to trigger a denial of service condition.

The analysis of the origin of the attacks revealed that the United States is the main source of attacks (48.3% of the total), followed by Vietnam (17.8%) and Russia (14.6%). 

However, we have to consider that the attackers might have used proxy servers and VPNs located in those countries to hide their actual physical locations.

“The surge of attacks leveraging CVE-2021-35394 shows that threat actors are very interested in supply chain vulnerabilities, which can be difficult for the average user to identify and remediate. These issues can make it difficult for the affected user to identify the specific downstream products that are being exploited.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-35394)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment