Palo Alto Networks researchers reported that between August and October 2022 the number of attacks that attempted to exploit a Realtek Jungle SDK RCE (CVE-2021-35394) (CVSS score 9.8) accounted for more than 40% of the total number of attacks.
“Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.” reads the description for this flaw.
As of December 2022, experts observed 134 million exploit attempts in total leveraging this flaw, and about 97% of these attacks occurred after the start of August 2022.
The experts warned that the attacks conducted by multiple threat actors are still ongoing.
A large number of these attacks attempted to deliver malware to vulnerable IoT devices. Most of the malware samples analyzed by the researchers belong to Mirai, Gafgyt and Mozi families.
Palo Alto Networks also observed a new distributed IoT denial-of-service (DDoS) botnet developed in Golang, tracked as RedGoBot. The RedGoBot botnet was involved in multiple campaigns, the first one observed in early September 2022, when the threat actor tried to deliver a shell script znet.sh downloader from 185.216.71[.]157 utilizing wget.