Threat actors are actively exploiting a critical authentication bypass issue (CVE-2021-20090) affecting home routers with Arcadyan firmware.

Threat actors actively exploit a critical authentication bypass vulnerability, tracked as CVE-2021-20090, impacting home routers with Arcadyan firmware to deploy a Mirai bot.

“A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.” reads the advisory published by Tenable.

This flaw potentially affects millions of IOT devices manufactured by no less than 17 vendors, including some ISPs. 

The ongoing attacks were spotted by researchers from Juniper Threat Labs, experts believe that were conducted by a threat actor that targeted IoT devices in a campaign since February.

“As of August 5, we have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China. The attacker seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar in name to the ones mentioned by Palo Alto Networks in March. We had witnessed the same activity starting February 18.” reads the analysis published by Juniper experts. “The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability.”

The ongoing attacks were discovered by Juniper Threat Labs researchers while monitoring the activity of a threat actor known for targeting network and IoT devices since February.

According to the experts, between June 6, 2021, and July 23, the threat actor started exploiting the following vulnerabilities:

CVE-2020-29557 (DLink routers)CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)CVE-2021-31755  (Tenda AC11)CVE-2021-22502 (MicroFocus OBR)CVE-2021-22506 (MicroFocus AM)a couple more exploits from exploit-db with no related CVEs.Experts pointed out that attackers continue to add new exploits to their arsenal.

Tenable researchers shared a list of affected devices:

ADSL wireless IAD router1.26S-R-3PArcadyanARV751900.96.00.96.617ESArcadyanVRV95176.00.17 build04ArcadyanVGV75193.01.116ArcadyanVRV95181.01.00 build44ASMAXBBR-4MG / SMC7908 ADSL0.08ASUSDSL-AC88U (Arc VRV9517)1.10.05 build502ASUSDSL-AC87VG (Arc VRV9510)1.05.18 build305ASUSDSL-AC31001.10.05 build503ASUSDSL-AC68VG5.00.08 build272BeelineSmart Box Flash1.00.13_beta4British TelecomWE410443-SA1.02.12 build02BuffaloWSR-2533DHPL21.02BuffaloWSR-2533DHP31.24BuffaloBBR-4HGBuffaloBBR-4MG2.08 Release 0002BuffaloWSR-3200AX4S1.1BuffaloWSR-1166DHP21.15BuffaloWXR-5700AX7S1.11Deutsche TelekomSpeedport Smart 3010137.4.8.001.0HughesNetHT2000W0.10.10KPNExperiaBox V10A (Arcadyan VRV9517)5.00.48 build453KPNVGV75193.01.116O2HomeBox 64411.01.36OrangeLiveBox Fibra (PRV3399)00.96.00.96.617ESSkinnySmart Modem (Arcadyan VRV9517)6.00.16 build01SparkNZSmart Modem (Arcadyan VRV9517)6.00.17 build04Telecom (Argentina)Arcadyan VRV9518VAC23-A-OS-AM1.01.00 build44TelMexPRV33AC1.31.005.0012TelMexVRV7006TelstraSmart Modem Gen 2 (LH1000)0.13.01rTelusWiFi Hub (PRV65B444A-S-TS)v3.00.20TelusNH20A1.00.10debug build06VerizonFios G31001.5.0.10VodafoneEasyBox 9044.16VodafoneEasyBox 90330.05.714VodafoneEasyBox 80220.02.226The CVE-2021-20090 flaw existed in Arcadyan’s firmware for at least ten years, this means that every vendor that used it in its models automatically inherited the bug.

Researchers also shared Indicators of compromise (IOCs) associated with the last wave of attacks attributed to this threat actor.

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-20090)

The post CVE-2021-20090 actively exploited to target millions of IoT devices worldwide appeared first on Security Affairs.