Threat actors are actively exploiting a critical authentication bypass issue (CVE-2021-20090) affecting home routers with Arcadyan firmware.

Threat actors actively exploit a critical authentication bypass vulnerability, tracked as CVE-2021-20090, impacting home routers with Arcadyan firmware to deploy a Mirai bot.

“A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.” reads the advisory published by Tenable.

This flaw potentially affects millions of IOT devices manufactured by no less than 17 vendors, including some ISPs. 

The ongoing attacks were spotted by researchers from Juniper Threat Labs, experts believe that were conducted by a threat actor that targeted IoT devices in a campaign since February.

“As of August 5, we have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China. The attacker seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar in name to the ones mentioned by Palo Alto Networks in March. We had witnessed the same activity starting February 18.” reads the analysis published by Juniper experts. “The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiation arsenal with yet another freshly disclosed vulnerability.”

The ongoing attacks were discovered by Juniper Threat Labs researchers while monitoring the activity of a threat actor known for targeting network and IoT devices since February.

According to the experts, between June 6, 2021, and July 23, the threat actor started exploiting the following vulnerabilities:

  1. CVE-2020-29557 (DLink routers)
  2. CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)
  3. CVE-2021-31755  (Tenda AC11)
  4. CVE-2021-22502 (MicroFocus OBR)
  5. CVE-2021-22506 (MicroFocus AM)
  6. a couple more exploits from exploit-db with no related CVEs.

Experts pointed out that attackers continue to add new exploits to their arsenal.

Tenable researchers shared a list of affected devices:

ADSL wireless IAD router
Arcadyan ARV7519
Arcadyan VRV9517 6.00.17 build04
Arcadyan VGV7519 3.01.116
Arcadyan VRV9518 1.01.00 build44
ASUS DSL-AC88U (Arc VRV9517) 1.10.05 build502
ASUS DSL-AC87VG (Arc VRV9510) 1.05.18 build305
ASUS DSL-AC3100 1.10.05 build503
ASUS DSL-AC68VG 5.00.08 build272
Beeline Smart Box Flash 1.00.13_beta4
British Telecom WE410443-SA 1.02.12 build02
Buffalo WSR-2533DHPL2 1.02
Buffalo WSR-2533DHP3 1.24
Buffalo BBR-4HG
Buffalo BBR-4MG 2.08 Release 0002
Buffalo WSR-3200AX4S 1.1
Buffalo WSR-1166DHP2 1.15
Buffalo WXR-5700AX7S 1.11
Deutsche Telekom Speedport Smart 3 010137.
HughesNet HT2000W 0.10.10
KPN ExperiaBox V10A (Arcadyan VRV9517) 5.00.48 build453
KPN VGV7519 3.01.116
O2 HomeBox 6441 1.01.36
Orange LiveBox Fibra (PRV3399)
Skinny Smart Modem (Arcadyan VRV9517) 6.00.16 build01
SparkNZ Smart Modem (Arcadyan VRV9517) 6.00.17 build04
Telecom (Argentina) Arcadyan VRV9518VAC23-A-OS-AM 1.01.00 build44
TelMex PRV33AC
TelMex VRV7006
Telstra Smart Modem Gen 2 (LH1000) 0.13.01r
Telus WiFi Hub (PRV65B444A-S-TS) v3.00.20
Telus NH20A 1.00.10debug build06
Verizon Fios G3100
Vodafone EasyBox 904 4.16
Vodafone EasyBox 903 30.05.714
Vodafone EasyBox 802 20.02.226

The CVE-2021-20090 flaw existed in Arcadyan’s firmware for at least ten years, this means that every vendor that used it in its models automatically inherited the bug.

Researchers also shared Indicators of compromise (IOCs) associated with the last wave of attacks attributed to this threat actor.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-20090)

The post CVE-2021-20090 actively exploited to target millions of IoT devices worldwide appeared first on Security Affairs.

You May Also Like

Report by Mandiant: FIN12 a Highly Aggressive Ransomware Group Targets Big Companies

The operations and tools of FIN12, a highly aggressive ransomware gang that…