Juniper Threat Labs found evidence that a vulnerability that “potentially affects millions of home routers” was being actively exploited by hackers just two days after it was revealed to the public.
Tenable researcher Evan Grant publicly disclosed the vulnerability in question, which has been assigned the identifier CVE-2021-20090, alongside several other security flaws on August 3. Juniper said it “identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China” starting on August 5.
The attacker was reportedly attempting to deploy a variant of the Mirai botnet that’s powered numerous high profile distributed-denial of service (DDoS) attacks since July 2016. This doesn’t appear to be the first time the attacker exploited a publicly disclosed vulnerability in their efforts to deploy this botnet—Juniper said it started tracking similar activity on February 18.
The company said it observed the attacker targeting vulnerabilities affecting Cisco HyperFlex, two MicroFocus services, the Tenda AC11 router, and several routers made by D-Link in addition to “a couple more exploits from exploit-db with no related CVEs” between June 6 and July 23. CVE-2021-20090 is “probably not the last one to be added” to the attacker’s toolbox, it said.
So what is CVE-2021-20090? Grant said it’s a vulnerability that allows hackers to bypass the authentication mechanisms used by wireless routers made by a company called Arcadyan. Bypassing those mechanisms can allow someone to view private files and, most importantly for this particular attacker’s purposes, modify the router’s configuration to suit their own goals.
“This appears to be shared by almost every Arcadyan-manufactured router/modem we could find,” Grant said, “including devices which were originally sold as far back as 2008.” Juniper said it was also found in “other [Internet of Things] devices using the same vulnerable code base.” It’s no wonder someone looking to build a botnet was intrigued by such a widespread vulnerability.
Recommended by Our Editors
Tenable reported the issue to four vendors—Hughesnet, O2, Verizon, and Vodafone—on April 21 and to Arcadyan itself on April 22. It then “became clear that many more vendors were affected and contacting and tracking them all would become very difficult,” Grant said, so Tenable “reported the issues to the CERT Coordination Center for help with that process” on May 18.
A list of products known to be affected by CVE-2021-20090 can be found on the vulnerability’s listing on CERT’s website. The organization said it “recommends updating your router to the latest available firmware version” and to “disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN” in response to this flaw.