Last Month’s Flaw in Arcadyan Routers Is Now Actively Exploited by Hackers

  • Arcadyan modem routers are being under siege by DDoS botnet operators like the ‘Mirai’ gang.
  • The flaw that has been weaponized had a ‘proof of concept’ published last month by researchers.
  • The attacks began only two days following the publication of the vulnerability and its implications.

Last month, the Tenable team reported about “CVE-2021-20090”, a critical path traversal vulnerability affecting multiple modem routers made by Arcadyan. The manufacturers were informed about the details since the flaw's discovery (which happened in January 2021) and had ample time to release their firmware updates that would address the problem. Unfortunately, though, there are several EOL modems on the list, so these products would never get a firmware update. Moreover, as patching delays are always a thing in computing, threat actors realized this was an excellent opportunity to find vulnerable endpoints and attack them.

According to Juniper Threat Labs, the first attacks were spotted in the wild only two days after the ‘proof of concept’ PoC code was published by Tenable researchers in last month’s write up, describing how the code injection into the configuration file takes place, and how to enable the Telnet service while bypassing authentication steps. Although the flaw was present in the affected modem router devices for over a decade, actors have only now started to exploit it, holding all the technical details on how to weaponize the PoC.

We had already warned you about this dire possibility since last month, so if you are using a vulnerable modem router that is no longer supported by the vendor, you should replace it immediately. If that’s impossible, you should disable the WAN-side administration services on the router and the WAN web interface. If you would like to check out the list of the indicators of compromise to figure out whether or not you’re being targeted, you may find it on Juniper’s report.

As it appears to be the case, at least at this particular phase, the exploitation of the vulnerable modems happens from DDoS botnet operators, and more specifically, those of the Mirai variant. This is a very active and persevering malware that’s frequently updated with new CVEs to expand its targeting scope.

Because these modem router models are typically used in homes and not deployed in corporate environments, it makes more sense to try and make them parts of DDoS swarms, as they have little cyber-espionage and network reconnaissance interest. Also, precisely because these are home-based devices, their users are very likely to leave them unpatched even if a fixing firmware update has been available for months.

Latest
How to Watch Selena + Chef Season 4 Online From Anywhere
Our favorite cooking show starring pop star Selena Gomez is back for a brand new season, and we're excited to stream all...
How to Watch Glorious Online From Anywhere: Stream the Horror Thriller Starring J.K. Simmons & Ryan Kwanten
In the mood for horror? A Lovecraftian horror film will soon premiere, and it stars Oscar-winning J.K. Simmons (Whiplash, La La Land)...
How to Watch Pulse Online From Anywhere
Shot in South Africa and Mauritius, Pulse is a sci-fi survival thriller about a group of video game developers who become trapped...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]