The threat actors exploit a critical vulnerability (rated 9.9/10) in the Arcadyan firmware for home routers to launch Mirai botnet payloads.
Mirai botnet tries to turn compromised networked devices running Linux into remotely controlled bots that can be used later by the threat actor as part of a botnet in large-scale network attacks.
The vulnerability is known as CVE-2021-20090, and it can allow unauthenticated attackers to bypass authentication by accessing the web interfaces of routers.
Researchers at Juniper Labs have been tracking the threat actor who has been launching a series of attacks against network and IoT devices since February.
The devices found vulnerable to the bug are produced by various ISPs and makers. Some of them include: Asus, British Telecom, Deutsche Telekom, Orange, O2 (Telefonica), Verizon, Vodafone, Telstra, and Telus.
Based on the number of devices affected by the bug, it is believed that the total number of compromised routers is in the millions.
It was a security firm Tenable that discovered the flaw in Arcadyan firmware and detailed it in a security advisory on April 26.
“This vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors, and that is touched on in a whitepaper Tenable has released,” explained Evan Grant, Tenable Staff Research Engineer, on Tuesday.
Since then, the security firm has detected various attack patterns that were designed to exploit the vulnerability in the wild. The attacks were launched from an IP address in Wuhan, China.
The attackers behind this operation deploy a variant of the Mirai botnet, similar to the one discovered by Unit 42 in March.
The researchers first spotted the activity of the threat actor on February 18. Since then, the actor continuously added new threats and exploits to their toolset and will likely continue doing so, researchers warned.