HQ/EMEAFind out how we can help your business
The well-known Mirai botnet is an ongoing exploitation of the vulnerable TP-Link Archer A21 (AX1800). The confirmed flaw is CVE-2023-1389, which could result in distributed denial-of-service attacks.
Based on reports, the exploit appeared during the hacking event in Pwn2Own Toronto in December last year. A couple of hacking teams that participated in the event breached the device using multiple pathways, such as WAN and LAN interface access. Fortunately, TP-Link rolled out the patch for the new vulnerability last month in a new firmware update.
However, several researchers observed several exploitations attempts in the cybercriminal landscape last week. These attacks occurred in Eastern European countries and slowly reached different parts of the globe.
The Mirai botnet is the first notorious botnet campaign that attempted to exploit the new flaw.
According to investigations, the Mirai botnet is currently targeting the vulnerability that has a high-severity rating. Researchers claimed that the source of the problem is the inadequate input sanitisation in the local API that runs the router’s language settings, which does not filter or validate what it receives.
Hence, this initial intrusion could enable remote attackers to deploy commands that could be executed on a targeted device.
This detail shows that the flaw could enable hackers to deploy a specially crafted request to the router that contains the command payload as part of the country parameter. Subsequently, the actors could follow through with the attacks and trigger the execution protocol.
Furthermore, a separate researcher reported that a new version of the Mirai malware botnet could exploit the vulnerability to acquire initial access to a targeted device. The attack could then download the appropriate binary payload for the router’s infrastructure to recruit the device into its botnet.
The new version of the Mirai botnet focuses on deploying DDoS attacks. It also includes features that prioritise targeting game servers since it has an ability that could launch on Valve Source Engine.
Lastly, the new malware version could impersonate legitimate network traffic. Therefore, it is harder for anti-DDoS solutions to identify legitimate and malicious traffic and reject trash traffic efficiently.
