Realtek SDK Exploits Increasing [CVE-2014-8361]

Netscout has seen an increase in attempts to exploit the Realtek SDK miniigd SOAP vulnerability (CVE-2014-8361) present in some consumer routers. This increase was observed in ASERT’s IoT honeypot network between the end of April through the first half of May in 2019. Netscout indicated they believed the attacks were from Egypt targeting routers located in South Africa. If the attack is successful in exploiting the device, the router ends up as a member of the Hakai DDoS botnet.

The Hakai botnet is believed to have been around since 2018. Hakai is part of the Gafgyt family of IoT malware and uses a number of command injection vulnerabilities against its targets. The botnet is capable of delivering HTTP, TCP, and UDP flooding attacks. The Hakai variant in this campaign also included vseattack functionality. This is a Valve Source Engine (VSE) query-flooding attack that is similar to the version found in Mirai.

Indicators of Compromise

SHA-256

  • 0024f5aed8e21f8b9532412c2ed3a16645d3166d714c56ad0894ae57b82cb7ff
  • 2d705d145c88c1483399b073f3b8ce5187001c5917e91f59e05e4d599b8dec98
  • 907cd742fd15bccfdf961345cdb64772b41e94ecd4c5415050f15c66e7fe2595
  • ddddc968589302875ffd64839d284575e5b2e08cd6202c4b373711457301688f
  • dfdb85756c9f7d2c4272f06b862e63db1be31f1e32f09428e201d44c9e2669c7

IP

  • 88.166.116.249

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: