Botnets Exploiting Vulnerabilities in TP-Link Routers: A Growing Threat

According to Fortinet, at least six botnets are currently attacking TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389, which allows command injections without authentication.

The CVE-2023-1389 vulnerability was initially discovered at the Pwn2Own hacking competition in December 2022. Although TP-Link developers addressed the issue in March 2023 with the release of firmware version 1.1.4 Build 20230219, it was later revealed that hackers were already exploiting the vulnerability. Initially targeting devices in Eastern Europe, the attacks soon spread globally.

Fortinet analysts now report that a year later, CVE-2023-1389 is still being exploited by hackers, as many users continue to use outdated firmware. Recently, there has been a surge in malicious activity originating from six botnets.

According to Fortinet’s telemetry data, since March 2024, the daily number of attack attempts using CVE-2023-1389 often exceeds 40,000 and sometimes reaches 50,000.

“We have recently observed numerous attacks targeting this year-old vulnerability, particularly abused by botnets such as Moobot, Miori, the Go-based malware AGoent, and a variant of Gafgyt,” experts report.

AGoent downloads and executes scripts that fetch and run ELF files from a remote server, then deletes the files to hide traces.
Gafgyt variant specializes in DDoS attacks, loading scripts to execute Linux binary files and maintaining persistent connections with its C&C servers.
Moobot conducts DDoS attacks, fetches and executes scripts to load ELF files, runs them (depending on the architecture), and then destroys traces of its activity.
Miori uses HTTP and TFTP to download ELF files, executes them, and employs hard-coded credentials for brute-force attacks.
Mirai variant downloads a script that subsequently fetches UPX-compressed ELF files, shuts down packet analysis tools to avoid detection.
Condi employs a loader script to increase infection speed, prevents device reboot for persistence, and detects and terminates specific processes to avoid detection.

Each of these botnets employs different attack methods and scripts to exploit the vulnerability, gain control over compromised devices, and then manage them. Researchers recommend TP-Link Archer AX21 (AX1800) router users to follow the manufacturer’s instructions to update firmware, change default admin passwords to unique and complex ones, and disable web access to the management panel if not needed.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment