Go to listing page

Mirai Botnet Variant Explores TP-Link to Grow its Army of DDoS Devices

Mirai Botnet Variant Explores TP-Link to Grow its Army of DDoS Devices
Mirai botnet, a constant threat to IoT devices, is back in action. It has been discovered abusing a TP-Link Archer A21 (AX1800) WiFi router vulnerability to use the devices for DDoS attacks. The vulnerability was first exploited during the Pwn2Own Toronto hacking event in December 2022.

Newly update Mirai

In recent attacks, a new variant of the Mirai botnet is exploiting the flaw (CVE-2023-1389) to gain access to devices. It downloads the binary payload designed specifically for the router's architecture to add the device to a botnet.
  • The Zero Day Initiative (ZDI) on April 11 detected active exploitation of the bug in the wild.
  • It was targeting organizations in Eastern Europe initially but seem to have gradually spreading across the globe.
  • This new variant is focused on performing DDoS attacks, mainly targeting game servers, and can launch attacks at Valve Source Engine (VSE).
  • This version mimics genuine network traffic, making it challenging for DDoS protection solutions to identify between malicious and genuine traffic to effectively reject the garbage traffic.

About the TP-Link flaw

The abused flaw was officially reported to TP-Link in January, with TP-Link releasing a fix in a new firmware update.
  • The vulnerability (CVE-2023-1389) is a high-severity (CVSS v3: 8.8) unauthenticated command injection in the locale API of the TP-Link Archer AX21 router in the web management interface.
  • The issue is the lack of input sanitization inside the locale API that handles the router's language settings, which does not validate what it receives. It allows remote attackers to inject commands.
  • Attackers can abuse the flaw by sending a specially crafted request to the router, including command payload as a country parameter with a second request triggering the command.

TP-Link first addressed the problem on February 24. However, the fix was incomplete and did not stop exploitation. Later, the firm published an update (version 1.1.4 Build 20230219) on March 14.

Conclusion

Mirai botnet continues to add new vulnerabilities to expand its attack surface. In addition, the recent attack further highlights the decreasing time-to-exploit speed of an attacker before the equipment maker releases a patch. Applying the patch is the key recommended action that should be taken to reduce the risk. Further, ensure that in-use operating systems and application software are up-to-date.
Cyware Publisher

Publisher

Cyware