Posted on August 11, 2021 at 10:58 AM

Millions of Arycadan Routers under Threat of New Bypass Bug

Hackers are actively exploiting an authentication bypass vulnerability to gain access to home routers in a bid to corrupt the devices with a Mirai variant botnet that performs DDoS attacks. The development comes only two days after public disclosure of the same.

The DDoS attack is tracked as the CVE-2021-20090 with a CVSS score of 9.9. The vulnerability exploits a path traversal vulnerability in the web interface of routers using the Arcadyan firmware. The vulnerability can allow an unauthenticated remote attacker to bypass authentication processes.

The recent activity by this bug was discovered by Juniper Threat Labs researchers. According to the research, the goal of the hack was to launch payloads on a variant of Mirai botnet and exploit a system vulnerability targeting Internet of Things (IoT) devices.

How Attack Worked

The report on this vulnerability was published by Tenable on August 3. According to Tenable, the issue was in existence for around ten years and affected around 20 models of different vendors, including Vodafone, Verizon, Telus, Telstra, Orange, Deutsche Telekom, Buffalo, British Telecom, Beeline and Asus.

What drew the attention of researchers to the vulnerability was the detection of similar attack patterns. The Mirai variant that hackers are using to exploit the vulnerability has a close resemblance to another attack uncovered in March.

Another study by Juniper researchers also uncovered a similar vulnerability and researchers have been closely observing the actions of the hackers. Out of the analysed cases, the recent bug was the latest to be used by the hackers. The CVE-2021-20090 traversal vulnerability could be used by hackers to bypass authentication processes.

Once the bug has been exploited successfully, an attacker can go around authentication barriers and gain access to sensitive user data, such as valid request tokens that could be used to change the router settings.

A report by Juniper Threat Labs last week stated that its researchers “identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China.” The strategy to use the Mirai variant on the routers reflected a similar technique used by Palo Alto Networks’ Unit 42 in March.

The research also added that “The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability.”

According to the Juniper Labs research, the origin of the attack in China, as some of the attack patterns were detected in Wuhan, Hubei province, China. Because of this similarity, the researchers concluded that the same threat actor was behind the new attack.

Exploited Several Vulnerabilities

CVE-2021-20090 was not the only vulnerability exploited by these threat actors. They also exploited other vulnerabilities such as the CVE-2020-29557, pre-authentication remote code execution in D-Link DIR 825 R1 devices. They also exploited the CVE-2021-1497 and CVE-2021-1498, a command injection vulnerability in Cisco HyperFlex (HX).

The other vulnerabilities exploited include the CVE-2021-31755 Stack butter overflow vulnerability in Tenda AC11, causing arbitrary code execution. The other was the CVE-2021-22502 remote code execution flaw in Micro Focus Access Manager.

To reduce any further compromise to the routers and user devices, users have been advised to update their router firmware to the latest version.

The researchers added that “It is clear that threat actors keep an eye on all disclosed vulnerabilities. Whenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks.” Hence, performing regular updates on the devices will help to reduce the exposure of these attacks.

The reason why IoT devices are vulnerable to attacks is because of default settings. The other factor that also increased vulnerability on the affected devices was that users fail to install regular updates on their devices.

Six known security flaws and three unknown security flaws have been exploited in the attacks. The targeted devices in the hack include D-Link DNS-320 firewalls, Netis WF2419 wireless routers, Netgear ProSAFE Plus Switches and SonicWall SSL-VPNs.

Mirai is an attack that originates from Japan, and its translation is “future.” The name of the malware is used to describe a flaw that creates several variants. This makes it hard to detect on a single device. It has been used for several years to target devices that are networked via Linux. The networking is aimed at making these devices part of a larger network of attacks. It performs this action by changing these devices into bots that can be remotely controlled.