Multiple botnets exploit a year-old TP-Link vulnerability to carry out router attacks

Hu Jinyu

loopholes

Just released

976

collect

Introduction: TP-Link Archer AX21 (AX1800) router users are advised to follow the vendor's firmware upgrade instructions for security updates.

At least six different botnet malware have been found to be exploiting TP-Link Archer AX21 (AX1800) routers affected by last year's command injection security issue. The flaw, tracked as CVE-2023-1389, is a high-severity unauthenticated command injection issue in the Locale API accessible through the TP-Link Archer AX21 web management interface.

Researchers discovered the issue in January 2023 and reported it to the vendor through the Zero-Day Initiative (ZDI). TP-Link addressed the issue in March 2023 by releasing a firmware security update, and proof-of-concept exploit code emerged shortly after the security advisory was made public.

Cybersecurity teams subsequently issued warnings about multiple botnets, including three Mirai variants (1, 2, 3) and a botnet called “Condi” that targets unpatched devices.

This week, Fortinet issued another warning, saying it was observing a surge in malicious activity exploiting the vulnerability, noting that it originated from six botnet operations.

Telemetry data from Fortinet shows that starting in March 2024, daily infection attempts utilizing CVE-2023-1389 typically exceeded 40,000 and could reach as high as 50,000.

Activity diagram regarding CVE-2023-1389

Multiple attacks targeting this vulnerability focused on botnets such as Moobot, Miori, Golang-based proxy AGoent, and Gafgyt variants. Each botnet utilizes different methods and scripts to exploit vulnerabilities, establish control over infected devices, and command them to engage in malicious activities such as distributed denial-of-service (DDoS) attacks.

They are going: Download and execute a script that fetches and runs an ELF file from a remote server, then wipes the file to hide traces.

Gafgyt variants: Specializes in DDoS attacks by downloading scripts to execute Linux binaries and maintain persistent connections to C&C servers.

Will arrive: Known for launching DDoS attacks, it obtains and executes scripts to download ELF files, execute them according to the schema, and then delete traces.

Miori: Utilizes HTTP and TFTP to download ELF files, execute them, and perform brute force attacks using hardcoded credentials.

List of credentials used by Miori to brute force accounts

Mirai variants: Downloads a script that then fetches ELF files compressed using UPX, monitors and kills packet analysis tools to avoid detection.

Condi: Uses downloader scripts to increase infection rates, prevent device reboots for persistence, and scan and kill specific processes to avoid detection.

Condi DDoS attack mode

Fortinet said that despite security updates released by the vendor last year, a large number of users continue to use outdated firmware. TP-Link Archer AX21 (AX1800) router users are advised to follow the vendor's firmware upgrade instructions for secure updates and to change the default administrator password to a longer one and disable network access to the admin panel when not needed.

Article translated from: https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/ If reprinted, please indicate the original address