Unidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.
Tracked as CVE-2021-20090 (CVSS score: 9.9), the weakness concerns a path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication.
Disclosed by Tenable on August 3, the issue is believed to have existed for at least 10 years, affecting at least 20 models across 17 different vendors, including Asus, Beeline, British Telecom, Buffalo, Deutsche Telekom, Orange, Telstra, Telus, Verizon, and Vodafone.
Successful exploitation of the vulnerability could enable an attacker to circumvent authentication barriers and potentially gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.
Juniper Threat Labs last week said it "identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China" starting on August 5, with the attacker leveraging it to deploy a Mirai variant on the affected routers, mirroring similar techniques revealed by Palo Alto Networks' Unit 42 earlier this March.
"The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability," the researchers said.
Besides CVE-2021–20090, the threat actor is also said to have carried out attacks leveraging a number of other vulnerabilities, such as -
- CVE-2020-29557 (Pre-authentication remote code execution in D-Link DIR-825 R1 devices)
- CVE-2021-1497 and CVE-2021-1498 (Command injection vulnerabilities in Cisco HyperFlex HX)
- CVE-2021-31755 (Stack buffer overflow vulnerability in Tenda AC11 leading to arbitrary code execution)
- CVE-2021-22502 (Remote code execution flaw in Micro Focus Operation Bridge Reporter)
- CVE-2021-22506 (Information Leakage vulnerability in Micro Focus Access Manager)
Unit 42's report had previously uncovered as many as six known and three unknown security flaws that were exploited in the attacks, counting those targeted at SonicWall SSL-VPNs, D-Link DNS-320 firewalls, Netis WF2419 wireless routers, and Netgear ProSAFE Plus switches.
To avoid any potential compromise, users are recommended to update their router firmware to the latest version.
"It is clear that threat actors keep an eye on all disclosed vulnerabilities. Whenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks," the researchers said.