router|money laundering

Routers and modems running Arcadyan firmware are under attack

Routers and modems running a version of the Arcadyan firmware, including devices from ASUS, Orange, Vodafone, and Verizon, are currently under attack from a threat actor attempting to ensnare the devices into their DDoS botnet.

First spotted by security firm Bad Packets earlier this week and confirmed by Juniper Labs on Friday, the attacks are exploiting a vulnerability tracked as CVE-2021-20090.

Discovered by Tenable security researcher Evan Grant earlier this year, the vulnerability resides in the firmware code produced by Taiwanese tech firm Arcadyan.

Grant says the vulnerability has existed in the code for at least ten years and has made its way into the firmware of at least 20 router and modem models sold by 17 different vendors, which based their products on a white-label version of old Arcadyan devices.

The list of affected devices includes some of today's biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, British Telecom, and many others.

VendorDeviceFound on version
ADBADSL wireless IAD router1.26S-R-3P
ArcadyanVRV95176.00.17 build04
ArcadyanVRV95181.01.00 build44
ASUSDSL-AC88U (Arc VRV9517)1.10.05 build502
ASUSDSL-AC87VG (Arc VRV9510)1.05.18 build305
ASUSDSL-AC31001.10.05 build503
ASUSDSL-AC68VG5.00.08 build272
BeelineSmart Box Flash1.00.13_beta4
British TelecomWE410443-SA1.02.12 build02
BuffaloBBR-4MG2.08 Release 0002
Deutsche TelekomSpeedport Smart 3010137.
KPNExperiaBox V10A (Arcadyan VRV9517)5.00.48 build453
O2HomeBox 64411.01.36
OrangeLiveBox Fibra (PRV3399)
SkinnySmart Modem (Arcadyan VRV9517)6.00.16 build01
SparkNZSmart Modem (Arcadyan VRV9517)6.00.17 build04
Telecom (Argentina)Arcadyan VRV9518VAC23-A-OS-AM1.01.00 build44
TelstraSmart Modem Gen 2 (LH1000)0.13.01r
TelusWiFi Hub (PRV65B444A-S-TS)v3.00.20
TelusNH20A1.00.10debug build06
VerizonFios G31001.5.0.10
VodafoneEasyBox 9044.16
VodafoneEasyBox 90330.05.714
VodafoneEasyBox 80220.02.226

Besides the wide impact, the bug wasn't initially a big deal. Found earlier this year and patched in April, the vulnerability never came under attack until this week.

Exploitation only started Thursday this week, two days after Grant published an in-depth technical write-up, which also included proof-of-concept code.

Bad Packets co-founder and CTO Troy Mursch told The Record the attacks are leveraging the proof-of-concept code shared in Grant's blog post, which is tailored to attack Buffalo routers.

Per Grant, once exploited, the vulnerability can be used to bypass authentication procedures on affected routers and modems to enable the Telnet service and allow threat actors to connect to devices remotely.

While Grant has not tested his proof-of-concept exploit for other devices, and the exploit might not work out of the box for all, the chances are that it does.

While still unconfirmed, owners of any of the affected devices listed in the table above are advised to inquire their router vendor for security patches.

Juniper said it identified the threat actor behind these attacks as a notorious botnet herder operating a version of the Mirai malware.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.