Thousands of TP-Link routers vulnerable to new botnet: Report
Owners/administrators need to make sure devices are patched, have secure passwords
Owners or managers of TP-Link Archer Wi-Fi home and business routers should make sure their access passwords are secure after the discovery of a new botnet targeting these devices.
Researchers at Cato Networks said Tuesday the botnet -- which they dub Ballista because it's suspected to have been created by an Italian-based threat actor -- began operating early in January.
The Ballista botnet has targeted manufacturing, medical/healthcare, services and technology organizations in the U.S., Australia, China, and Mexico.
Botnets try to infect devices and, if successful, chain them together to create a powerful network for infecting more devices. The goal can be to install malware in company IT networks or use the combined power of the botnet to launch distributed denial of service attacks.
Routers can be vulnerable for two reasons: Owners/managers don't patch them as often as Windows PCs and servers, and the owners/managers don't change the default passwords the devices come with to more secure credentials.
Around the world there are a huge number of TP-Link routers. The report says Ballista tries to exploit an unpatched vulnerability discovered two years ago (CVE-2023-1389) to get into the routers.
It isn't clear how many TP-Link routers have been compromised by Ballista so far. The report estimates by an internet scan that more than 6,000 are vulnerable.
The botnet is still active.
When a router is infected initial payload includes a malware dropper -- specifically, a bash script -- that downloads the malware. During the Cato Networks analysis researchers saw the botnet evolving by switching to the use of Tor domains to become stealthier.
Once executed the malware sets up a TLS-encrypted command and control (C2) channel on port 82, which is used to fully control the compromised device. This allows running shell commands to conduct further remote and denial of service attacks. In addition, the malware attempts to read sensitive files on the local system.
The initial internet address used for communications by the malware stopped responding recently — perhaps the threat actor was alerted by work by security researchers. However, it seems the malware is now using Tor domains for distribution and communications.
The best-known botnets are called Mirai and Mozi. Mirai hijacks a wide range of internet-connected devices including surveillance cameras and their connected digital recorders. According to Radware, the Mirai botnet appeared in 2016 Its source code has been openly published and therefore used by a number of threat groups as the basis for their botnets.
Law enforcement agencies have had some success seizing the servers and infrastructure behind some botnets. For example just over a year ago authorities pulled the plug on the KV Botnet of small office/home office (SOHO) routers hijacked by the China-based gang dubbed Volt Typhoon by Microsoft.
These routers, mostly from Cisco Systems and Netgear, had a vulnerability: They were outdated and hadn’t been patched because the manufacturters stopped issuing patches. Owners hadn’t paid attention and replaced them. That’s another big problem: People and companies keep routers for years, not thinking they may need to be replaced simply because the manufacturer no longer supports them.
My advice: Regularly check the manufacturer’s website of any internet-connected device — smart phones, bluetooth headsets, surveillance cameras, routers, industrial machines, Windows etc. — for security updates and install them promptly. And at least once a year check verify the manufacturer is still supporting the device. If not, replace it fast.
See also this advisory from the Canadian Centre for Cyber Security, and this advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for securing home routers.