• Botnets

Realtek SDK Exploits on the Rise from Egypt

Honeypot Research

honeypot

by ASERT Team

on

Executive Summary 

ASERT’s IoT honeypot network continuously monitors known exploit vectors and we recently detected a spike in exploit attempts targeting the Realtek SDK miniigd SOAP vulnerability in consumer-based routers from the end of aprile 2019 until the first half of maggio 2019. The attacks originated from Egypt and, based on the volume of exploit attempts against South African routers, appears targeted. The payload includes commands to download and execute a variant of the Hakai DDoS bot.

Key Findings 

  • A 5.043% increase in exploit attempts (Figure 1), sourced from Egypt between 22 aprile 2019 - 10 maggio 2019, appeared to primarily target consumer-based routers in South Africa.
  • The exploitation attempts focus on IoT devices vulnerable to a remote command execution exploit in the Realtek SDK miniigd SOAP service (CVE-2014-8361).
  • The payload delivered to compromised devices is a variant of the Hakai DDoS bot, which can be used to conduct HTTP, TCP, UDP based DDoS attacks.

Details 

IoT malware authors use exploits to aid in its ability to propagate to as many devices as possible. Exploits leveraged within IoT malware range from newly discovered to several years old, as discussed in Fast & Furious IoT Botnets: Regifting Exploits. To track exploits attempts, our IoT honeypots monitor for connections attempting to exploit known vulnerabilities within IoT devices.

By monitoring the number of unique sources observed from our honeypots, we can approximate the number of locations and devices likely infected with IoT malware. Data collected between April 1st through 10 maggio 2019, indicates a significant increase (Figure 1) in exploit attempts for the Realtek SDK miniigd SOAP vulnerability. Drilling further into the sources of the exploit attempts, 86,2% of the attack traffic originated from Egypt.

Number of Exploit Attempts by Unique Source
Figure 1: Number of Exploit Attempts by Unique Source

 

The majority of the exploit activity was logged by our South African honeypot (Figure 2).

Attacks Per Honeypot
Figure 2: Attacks Per Honeypot

 

IoT devices using the Realtek SDK miniigd SOAP service are vulnerable (CVE-2014-8361) to remote command execution attacks. If compromised, attackers can download and execute malicious code on the devices. Figure 3 shows a sample of an exploit attempt captured by our honeypot network. The reason we see the delivery of the “mips” binary is due to the architecture the exploit is targeting.

Exploit Sample
Figure 3: Exploit Sample

 

The C2 delivering the malicious payload also contained an installer script (Figure 4) which is commonly used by several IoT based malware families. Within the download script we find support for several other architectures used by IoT devices. The installer script can be combined with other exploits as described in Fast & Furious IoT Botnets: Regifting Exploits to exploit vulnerable IoT devices.

Malicious Installer Script
Figure 4: Malicious Installer Script

 

After reverse engineering the “mips” binary captured by our honeypot, we believe it is a variant of the Hakai IoT DDoS bot compiled for the MIPS architecture and capable of communication with an attacker controlled C2 (Figure 5).

Hakai C2 Server Function
Figure 5: Hakai C2 Server Function

 

Hakai is an IoT DDoS bot that has been around since 2018 and is based off the Gafgyt family of IoT malware. Hakai uses several command injection vulnerabilities and supports the following DDoS capabilities: HTTP flooding, TCP flooding, UDP flooding.  The Hakai variants hosted on the C2 includes a new vseattack function, which performs a Valve Source Engine (VSE) query-flooding attack similar the one found in Mirai.

Conclusion 

Based on our research we continue to see a significant rise in the number of exploit attempts targeting IoT devices around the world. Typically, new IoT devices introduced onto the internet will, on average, see exploitation attempts of this nature within twenty-four hours of going online. We believe activity like this is a coordinated effort to recruit more bots. Though we do not know the motivations behind the surge in activity or the interest in South Africa, we believe this is only the preliminary phase as the actors behind the exploitation attempts seek to expand their botnet. ASERT will continue to monitor this activity and the broader landscape for malicious activity targeting IoT devices. In the meantime, we recommend patching known vulnerable devices to mitigate the threat.

Indicators of Compromise:

Hakai C2

188.166.116[.]249

SHA256 hash:

Architecture

ddddc968589302875ffd64839d284575e5b2e08cd6202c4b373711457301688f

MIPS

2d705d145c88c1483399b073f3b8ce5187001c5917e91f59e05e4d599b8dec98

ARMV4l

907cd742fd15bccfdf961345cdb64772b41e94ecd4c5415050f15c66e7fe2595

ARMV7l

dfdb85756c9f7d2c4272f06b862e63db1be31f1e32f09428e201d44c9e2669c7

I586

0024f5aed8e21f8b9532412c2ed3a16645d3166d714c56ad0894ae57b82cb7ff

X86

Subscribe

Sign up now to receive the latest notifications and updates from NETSCOUT's ASERT.