Radware has new perspectives on the Realtek SDK vulnerability exploitation attempts (CVE-2021-35395).
In addition to Palo Alto Networks, Juniper and Sam, Radware researchers have been closely monitoring the evolution of the Realtek SDK vulnerabilities, and how they are being weaponised through a variant of the Mirai botnet and exploited through IoT devices.
Radware named this variant of the Mirai botnet, ‘Dark.IoT’, based on malware file names all beginning with ‘Dark’ and the hostnames laughing out at IoT (‘lmaoiot.xyz’). This longer running campaign, which was first reported in Feb 2021, provides 13 different DDoS attack vectors and leverages over a dozen different exploits to propagate.
“Over the last six months, the operators behind Dark.IoT have attempted to leverage more than a dozen exploits, including the more recently disclosed Realtek SDK vulnerability,” said Daniel Smith, head of research at Radware.
“The operators behind this campaign are dedicated to finding and leveraging new exploits and capturing more vulnerable devices that can be used to launch more significant DDoS attacks. It is expected that the operators behind Dark.IoT will continue this pattern of rapidly leveraging recently disclosed vulnerabilities for the remainder of 2021.”
While many reports are covering the vulnerabilities and the list of exploits, Radware researchers can offer a deeper look at:
# The profiles and behaviour patterns of the operators behind them.
# The goals of these exploits: to create DDoS attacks for profit.
# How bad actors are weaponising security vulnerabilities announced by security researchers. (Dark.Iot is yet another campaign recently capitalising on disclosed exploits.)
# The race between attackers to exploit the vulnerability first. These attackers are not necessarily skilled; they are not doing their own research; they are simply leveraging the security community.
Radware’s full Dark.Iot report is here: https://www.radware.com/security/threat-advisories-and-attack-reports/dark-iot-botnet