Attacks Targeting Realtek SDK Vulnerability Ramping Up

Home/Compromised, Data Breach, Evilproxy, Exploitation, Internet Security, IOC's, malicious cyber actors, Malicious extension, Malware/Attacks Targeting Realtek SDK Vulnerability Ramping Up

Attacks Targeting Realtek SDK Vulnerability Ramping Up

Palo Alto Networks warns of an increase in cyberattacks targeting CVE-2021-35394, a remote code execution (RCE) vulnerability in the Realtek Jungle SDK.

The first in-the-wild attacks targeting CVE-2021-35394 were observed days after details of the bug were made public, with an estimated one million devices exposed to attacks at the time.

“As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing,” Palo Alto Networks says.

Realtek SDK Attack Details

  • Type 1: A script that runs a shell command on the targeted server, connects to a malicious IP address, and downloads malware. The Mirai malware family was responsible for the majority of type 1 threats. 
  • Type 2: An injected command that writes a binary payload to a file and executes it. 
  • Type 3: Another injected command that can directly reboot the targeted server, resulting in a (DoS). 

Moreover, 95% of the attacks targeting the vulnerability and originating from Russia were launched against Australian organizations.

IOCS

IP addresses:

  • 199[.]195[.]251[.]190
  • 172[.]81[.]41[.]196
  • 103[.]149[.]137[.]124
  • 103[.]149[.]137[.]138
  • 46[.]249[.]32[.]181
  • 69[.]67[.]150[.]36
  • 103[.]149[.]137[.]192
  • 45[.]125[.]236[.]14
  • 173[.]247[.]227[.]66
  • 173[.]247[.]227[.]70
  • 185[.]122[.]204[.]30
  • 45[.]95[.]55[.]188
  • 2[.]58[.]113[.]79
  • 45[.]95[.]55[.]24
  • 45[.]95[.]55[.]218
  • 45[.]95[.]55[.]189
  • 193[.]142[.]146[.]35
  • 37[.]139[.]129[.]11
  • 78[.]135[.]85[.]70
  • 45[.]137[.]21[.]166
  • 195[.]178[.]120[.]183
  • 195[.]133[.]81[.]29
  • 5[.]253[.]246[.]67
  • 45[.]61[.]184[.]133
  • 45[.]61[.]184[.]118
  • 149[.]5[.]173[.]33
  • 163[.]123[.]143[.]226
  • 45[.]61[.]188[.]148
  • 103[.]207[.]38[.]165
  • 45[.]13[.]227[.]115
  • 176[.]97[.]210[.]147
  • 163[.]123[.]143[.]200
  • 185[.]44[.]81[.]62
  • 38[.]22[.]109[.]7
  • 147[.]182[.]132[.]144
  • 205[.]185[.]126[.]88
  • 209[.]141[.]51[.]43
  • 198[.]98[.]52[.]213
  • 45[.]95[.]55[.]185
  • 20[.]249[.]89[.]181
  • 3[.]235[.]28[.]168

Callback URLs:

  • hxxp://185.205.12[.]157/trc/TRC[.]mpsl
  • hxxp://172.81.41[.]196/trc/TRC[.]mpsl
  • hxxp://135.148.104[.]21/mipsel
  • hxxp://199.195.251[.]190/trc/TRC[.]mpsl
  • hxxp://37.44.238[.]178/d/xd[.]mpsl
  • hxxp://176.97.210[.]135/assailant[.]mpsl
  • hxxp://198.98.56[.]129/trc/TRC[.]mpsl
  • hxxp://141.98.6[.]249/billy[.]sh
  • hxxp://185.216.71[.]157/Bins_Bot_hicore_mipsle

Recommendation:

Users are advised to apply security updates as soon as possible due to the flaw’s seriousness, as threat actors actively target QNAP vulnerabilities. The company fixed the vulnerability in the following operating system versions: 

  • QTS 5.0.1.2234 build 20221201 and later 
  • QuTS hero h5.0.1.2248 build 20221215 and later 

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 338
By | 2023-02-03T17:55:06+05:30 January 31st, 2023|Compromised, Data Breach, Evilproxy, Exploitation, Internet Security, IOC's, malicious cyber actors, Malicious extension, Malware|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!