November 13, 2020
Last month, the Tenable team reported about “CVE-2021-20090”, a critical path traversal vulnerability affecting multiple modem routers made by Arcadyan. The manufacturers were informed about the details since the flaw's discovery (which happened in January 2021) and had ample time to release their firmware updates that would address the problem. Unfortunately, though, there are several EOL modems on the list, so these products would never get a firmware update. Moreover, as patching delays are always a thing in computing, threat actors realized this was an excellent opportunity to find vulnerable endpoints and attack them.
According to Juniper Threat Labs, the first attacks were spotted in the wild only two days after the ‘proof of concept’ PoC code was published by Tenable researchers in last month’s write up, describing how the code injection into the configuration file takes place, and how to enable the Telnet service while bypassing authentication steps. Although the flaw was present in the affected modem router devices for over a decade, actors have only now started to exploit it, holding all the technical details on how to weaponize the PoC.
We had already warned you about this dire possibility since last month, so if you are using a vulnerable modem router that is no longer supported by the vendor, you should replace it immediately. If that’s impossible, you should disable the WAN-side administration services on the router and the WAN web interface. If you would like to check out the list of the indicators of compromise to figure out whether or not you’re being targeted, you may find it on Juniper’s report.
As it appears to be the case, at least at this particular phase, the exploitation of the vulnerable modems happens from DDoS botnet operators, and more specifically, those of the Mirai variant. This is a very active and persevering malware that’s frequently updated with new CVEs to expand its targeting scope.
Because these modem router models are typically used in homes and not deployed in corporate environments, it makes more sense to try and make them parts of DDoS swarms, as they have little cyber-espionage and network reconnaissance interest. Also, precisely because these are home-based devices, their users are very likely to leave them unpatched even if a fixing firmware update has been available for months.