Multiple botnets exploiting one-year-old TP-Link flaw to hack routers

At least six distinct botnet malware operations are hunting for TP-Link Archer AX21 (AX1800) routers vulnerable to a command injection security issue reported and addressed last year.

Tracked as CVE-2023-1389, the flaw is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface.

Several researchers discovered it in January 2023 and reported to the vendor through the Zero-Day Initiative (ZDI). TP-Link addressed the problem with the release of firmware security updates in March 2023. Proof-of-concept exploit code emerged shortly after the security advisories became public.

Following that, cybersecurity teams warned about multiple botnets, including three Mirai variants (1, 2, 3) and a botnet named "Condi," that targeted unpatched devices.

Yesterday, Fortinet issued another warning saying that it observed a surge in the malicious activity exploiting the vulnerability, noting that it originated from six botnet operations.

Fortinet's telemetry data shows that starting in March 2024, daily infection attempts leveraging CVE-2023-1389 often went beyond 40,000 and up to 50,000.

Diagram of activity concerning CVE-2023-1389
Diagram of activity concerning CVE-2023-1389
(Fortinet)
"Recently, we observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miori, the Golang-based agent "AGoent," and the Gafgyt Variant." - Fortinet

Each of these botnets utilizes different methods and scripts to exploit the vulnerability, establish control over the compromised devices, and command them to take part in malicious activities such as distributed denial of service (DDoS) attacks.

  • AGoent: Downloads and executes scripts that fetch and run ELF files from a remote server, then erases the files to hide traces.
  • Gafgyt variant: Specializes in DDoS attacks by downloading scripts to execute Linux binaries and maintaining persistent connections to C&C servers.
  • Moobot: Known for initiating DDoS attacks, it fetches and executes a script to download ELF files, executes them based on architecture, and then removes traces.
  • Miori: Utilizes HTTP and TFTP to download ELF files, executes them, and uses hardcoded credentials for brute force attacks.
List of credentials Miori uses to brute force accounts
List of credentials Miori uses to brute force accounts
(Fortinet)
  • Mirai variant: Downloads a script that subsequently fetches ELF files, which are compressed using UPX. Monitors and terminates packet analysis tools to avoid detection.
  • Condi: Uses a downloader script to enhance infection rates, prevents device reboots to maintain persistence, and scans for and terminates specific processes to avoid detection.
Condi DDoS attack modes
Condi DDoS attack modes
(Fortinet)

Fortinet's report indicates that despite the vendor's release of a security update last year, a significant number of users continue to use outdated firmware.

TP-Link Archer AX21 (AX1800) router users are advised to follow the vendor's firmware upgrading instructions, available here. They should also change the default admin passwords to something unique and long, and disable web access to the admin panel if not needed.

Related Articles:

Juniper warns of Mirai botnet scanning for Session Smart routers

Botnet exploits GeoVision zero-day to install Mirai malware

BadBox malware botnet infects 192,000 Android devices despite disruption

US considers banning TP-Link routers over cybersecurity risks

New Android NoviSpy spyware linked to Qualcomm zero-day bugs