Numerous botnets are targeting a nearly year-old command-injection vulnerability in TP-Link routers to compromise devices for IoT-based distributed denial of service (DDoS) attacks.
There is already a patch for the flaw, listed as CVE-2023-1389present in the web management interface of the TP-Link Archer AX21 (AX1800) Wi-Fi router and affecting devices version 1.1.4 build 20230219 or earlier.
However, threat actors are exploiting unpatched devices to send various botnets, including Moobot, Miori, AGoent, a Gafgyt variantand variants of the infamous Mirai botnet, which can compromise devices for DDoS attacks and other nefarious activities, according to a blog post from Fortiguard Labs threat research.
“We have recently observed numerous attacks focusing on this year-old vulnerability,” which had previously been exploited by the in The Mirai botnet, according to the post by Fortiguard researchers Cara Lin and Vincent Li. Fortiguard’s IPS telemetry detected significant traffic spikes, which alerted researchers to the malicious activity, they said.
Exploit the TP-Link flaw
The flaw creates a scenario where there is no sanitization of the “Country” field of the router’s management interface, “so that an attacker can exploit it for malicious activity and gain a foothold,” according to TP-Link. security consultancy for the defect.
“This is an unauthenticated command injection vulnerability in the ‘local’ API available via the web management interface,” Lin and Li explained.
To exploit this, users can query the specified module “country” and perform a “write” operation, which is handled by the “set_country” function, the researchers explained. That function calls the “merge_config_by_country” function and concatenates the argument of the specified form “country” into a command string. This string is then executed by the “popen” function.
“Since the ‘Country’ field will not be emptied, the attacker can achieve command injection,” the researchers wrote.
Botnet under siege
TP-Link’s advisory when the flaw was revealed last year included acknowledgment of exploitation by the Mirai botnet. But since then, other botnets and several Mirai variants have also taken vulnerable devices by storm.
One is Agoent, a Golang-based agent bot that attacks by first retrieving the “exec.sh” script file from an attacker-controlled website, which then retrieves Executable and Linkable Format (ELF) files of different Linux-based architectures .
The bot then performs two main behaviors: the first is to create the host username and password using random characters, the second is to establish a command and control (C2) connection to transmit the credentials newly created by the malware for control of the device, the researchers said.
A botnet that creates Denial of Service (DoS) in Linux architectures called the Gafgyt variant is also attacking the TP-Link flaw by downloading and executing a script file and then retrieving the Linux architecture execution files with the filename prefix “rebirth” . The botnet then obtains the compromised target IP and architecture information, which it concatenates into a string that is part of its initial connection message, the researchers explained.
“After establishing a connection with its C2 server, the malware receives a continuous ‘PING’ command from the server to ensure persistence on the compromised target,” the researchers wrote. It then waits for various C2 commands to create DoS attacks.
The botnet called Moobot is also attacking the flaw to conduct DDoS attacks on remote IPs via a command from the attacker’s C2 server, researchers said. While the botnet targets various IoT hardware architectures, Fortiguard researchers analyzed the botnet execution file designed for the “x86_64” architecture to determine its exploitation activity.
A Mirai variant is also conducting DDoS attacks by exploiting the flaw by sending a packet from the C&C server to direct the endpoint to initiate the attack, the researchers noted.
“The specified command is 0x01 for a Valve Source Engine (VSE) wave, lasting 60 seconds (0x3C), which targets a randomly selected victim’s IP address and port number 30129,” they explained .
Miori, another Mirai variant, also joined the fray to conduct brute force attacks on compromised devices, researchers noted. And they also observed Condi attacks that remain consistent with a version of the botnet that was active last year.
The attack maintains the function of preventing reboots by deleting binaries responsible for shutting down or restarting the system, and scans active processes and cross-references with predefined strings to terminate processes with matching names, the researchers said.
Patch and protection to avoid DDoS
Botnet attacks that exploit device flaws to target IoT environments are “relentless” and so users should be vigilant against DDoS botnets,” the researchers noted. Indeed, IoT adversaries are carrying out their attacks pounce on the flaws of unpatched devices to further their sophisticated attack programs.
Attacks against TP-Link devices can be mitigated by applying the available patch for the affected devices, and this practice should be followed for any other IoT devices “to safeguard their network environments from infection, preventing them from becoming bots for threat actors harmful,” the company says. the researchers wrote.
Fortiguard also included in its post various indicators of compromise (IoC) for different botnet attacks, including C2 servers, URLs and files that can help server administrators identify an attack.