Hackers attack modems and routers with Arcadyan firmware

Arcadyan-based routers and modems (including Asus, Orange, Vodafone and Verizon devices) are attacked by a hacker trying to make them part of his Mirai-based DDoS botnet.

The attacks were first noticed at the end of last week by specialists from Bad Packets. Soon, Juniper Labs analysts confirmed the existence of the problem, reporting that as part of this malicious campaign, unknown attackers exploited the CVE-2021-20090 vulnerability (9.9 points out of 10 on the CVSS scale).

This issue allows bypassing authentication and enabling Telnet on problematic routers and modems, giving an attacker the ability to remotely connect to compromised devices.

A vulnerability in the firmware of the Taiwanese firm Arcadyan was found earlier this year by Tenable. They state that the problem has existed in the code for at least 10 years and is now found in the firmware of at least 20 models of routers and modems sold by 17 different manufacturers who base their products on old white-label Arcadyan devices.

As a result, devices of the largest suppliers and Internet providers, including Asus, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, British Telecom, and so on, were exposed to the vulnerability. The total number of devices vulnerable to attacks is likely to be in the millions, experts warn.

The vulnerability that was discovered in April received a patch in the same month and until recently was not attacked. The cybercriminals noticed the problem only after Tenable’s information security specialist published its detailed technical description, as well as a PoC exploit. According to Bad Packets, this exploit that is now being used for attacks that originate from IP addresses located in Wuhan, China.

Researchers believe that hacker behind the attacks has been already discovered by Palo Alto Networks in the spring of 2021. Back then, his botnet was targeting IoT devices and security devices.

Let me remind you that we wrote that Mirai Botnet Comes with new 11 Exploits to Attack Enterprise Devices.