Endpoint/Device Security, Vulnerability Management, Supply chain

Realtek flaw accounted for 40% of attempts between August and December

Share
An exhibit for smart devices is seen at a trade show

Attempts to exploit a remote code execution vulnerability accounted for more than 40% of the total number of attacks between August and October 2022, researchers said in a Jan. 24 blog.

What’s more, attempts to exploit the Realtek Jungle SDK vulnerability, CVE-2021-35394, was observed by Palo Alto’s Unit 42 researchers an eye-popping 134 million times as of December 2022 and is still ongoing. 

With nearly 190 devices from 66 manufacturers being affected by the RCE flaw, first disclosed on Aug. 16, 2021, many of the attacks targeted vulnerable IoT devices. The researchers said they believed there are so many attacks trying to exploit the flaw because “supply chain issues can make it difficult for the average user to identify the affected products.”

“The supply chain vulnerabilities in these products directly contribute to expanding the attack surface of these networks,” the researchers wrote.

Bud Broomhead, CEO at Viakoo, said with 40% of total attacks exploiting IoT devices, he found it “astonishing that organizations would not consider IoT/OT devices as part of their security posture.” 

“IoT devices clearly have become a principal focus for threat actors, and with good reason,” Broomhead told SC Media. “These devices are often managed outside of IT, are difficult to patch, and have all the necessary ingredients (compute, network, and storage) to make them ideal for planting and distributing malware.”

Mike Parkin, a senior technical engineer at Vulcan Cyber, said the number of attempts to exploit CVE-2021-35394 “implies that [attackers] are finding success with it, in spite of it being well over a year old.”

The attempts are targeting devices with three types of malware payloads: a script that executes a shell command; an injected command that directly writes a binary payload; and an injected command that directly reboots the targeted server for a denial of service. Most of the malware Unit 42 researchers observed came from malware families like Mirai, Gafgyt and Mozi. 

Nearly half of the exploit attempts, 48.3%, originated in the U.S., followed by Vietnam (17.8%), Russia (14.6%), The Netherlands (7.4%), France (6.4%), Germany (2.3%, Luxembourg (1.6%), and other (1.5%).

Broomhead expected the CVE to be a threat for a long time because of how many IoT devices exist in the supply chain before they are deployed. He suggested organizations update to the latest and most secure firmware versions before deploying new devices.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.