Threat Research

Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats

Securonix

Realtek CVE-2021-35394 exploitation surged in 2022, with tens of millions of attempts targeting the Realtek Jungle SDK remote code execution vulnerability and a significant shift to delivering IoT malware. The campaign affected hundreds of device models across multiple vendors, with Mirai, Gafgyt, Mozi, and RedGoBot forming the threat landscape; defense guidance emphasizes patching, device integrity checks, and IoT security tooling. #RealtekCVE35394 #RedGoBot

Keypoints

  • Between August and October 2022, CVE-2021-35394 exploitation accounted for more than 40% of total attacks observed by Unit 42, with 134 million exploit attempts by December 2022 and 97% occurring after August 2022.
  • The vulnerability affects almost 190 device models from 66 manufacturers, illustrating a broad supply-chain exposure that can be hard to identify in deployed environments.
  • Attack payloads include well-known Mirai, Gafgyt, Mozi families and a new Golang-based DDoS botnet named RedGoBot, which downloads binaries for multiple architectures via shell scripts.
  • RedGoBot’s C2 commands enable remote OS command execution and DDoS actions across HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols; several payloads are delivered from multiple hosting sites.
  • Attack origins span 30+ regions, with the United States contributing nearly half of observed traffic; proxies and VPNs likely mask true locations.
  • Protection guidance includes applying vendor updates, performing factory resets if affected, and leveraging security solutions (WildFire, URL Filtering, DNS Security, and IoT security platforms) to block C2 domains and malware hosting URLs.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Remote unauthenticated attackers could leverage this vulnerability to achieve arbitrary command execution. Quote: ‘Remote unauthenticated attackers could leverage this vulnerability to achieve arbitrary command execution, leading to devices being taken over.’
  • [T1059.004] Unix Shell – A script executes a shell command on the targeted server and downloads/executed malware. Quote: ‘A script executes a shell command on the targeted server. This script actively connects to a malicious IP address, and automatically downloads and executes malware.’
  • [T1105] Ingress Tool Transfer – The shell script downloads and executes malware payloads from remote servers. Quote: ‘The script downloads the following files: …BINS_Bot_hicore_amd64 …’
  • [T1071.001] Web Protocols – C2 domain and malware hosting URLs are used for command-and-control communications. Quote: ‘Our products can block the C2 domain and malware hosting URLs.’
  • [T1583] Acquire Infrastructure – Attackers hosted malware on multiple sites to distribute payloads and enable campaigns. Quote: ‘When launching a campaign, attackers could host the malware on multiple sites.’
  • [T1499] Denial of Service – Injected command reboots the targeted server to achieve denial of service. Quote: ‘An injected command directly reboots the targeted server to achieve denial of service.’

Indicators of Compromise

  • [IP] Malicious IPs – 199.195.251.190, 172.81.41.196
  • [URL] Callback URLs – hxxp://185.205.12[.]157/trc/TRC[.]mpsl, hxxp://172[.]81[.]41[.]196/trc/TRC[.]mpsl
  • [Hash] Malware hashes – 26e96945ee32199536d4c85124a24c28e853b557eb31f3907d19f08b9798dff4, bc03af5c06a7ff6774688e8d71f6d06e0d402f4f86d5b23969bc53d5eab3e522
  • [Family] Malware families – Mirai, Gafgyt, Mozi, and RedGoBot

Read more: https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/#post-126726-_f37quwequ6r