More than a year after a patch was released, hackers are still competing to compromise vulnerable TP-Link Wi-Fi routers.
A report from Fortinet claims that a half-dozen botnet operators are searching for vulnerable TP-Link Archer AX21 (AX1800) routers after cybersecurity researchers discovered a very serious, unverified command injection flaw in the endpoints early last year.
The vulnerability, tracked as CVE-2023-1389, was patched a few months later in March 2023.
Working in the interests of Russia
However, a year later, in March 2024, Fortinet discovered that the number of attempts to exploit this flaw rose above 40,000 and even as high as 50,000 per day. Apparently several groups are doing it at the same time:
“We recently observed multiple attacks targeting this year-old vulnerability, highlighting botnets such as Moobot, Miori, the Golang-based agent ‘AGoent’ and the Gafgyt Variant,” Fortinet said in its report.
Several Mirai variants and a botnet called “Condi” have been identified as targeting TP-Link routers since the vulnerability was first disclosed.
Mirai is considered one of the largest and most disruptive botnets out there.
Hackers are always looking for vulnerable internet-connected endpoints such as smart home devices, smart speakers, routers, computers and the like. When they find such devices, they infect them with malware that allows them to execute certain commands. The most popular use case is Distributed Denial of Service (DDoS) attacks, where the compromised machines are tasked with sending meaningless traffic to a single entity.
Due to the huge number of traffic requests, the entity is unable to process them all (including legitimate traffic) and crashes, hence the name denial of service.
To ensure that your endpoints are not included in a malicious botnet and used in DDoS attacks, apply the latest patches and firmware updates to all internet-connected devices and ensure they are protected with a strong password .
Through BleepingComputer