More than a year after a patch was released, hackers are still competing to compromise vulnerable TP-Link Wi-Fi routers.
A report from Fortinet claims half a dozen botnet operators are scanning for vulnerable TP-Link Archer AX21 (AX1800) routers after cybersecurity researchers discovered a high-severity unauthenticated command injection flaw in the endpoints early last year.
The vulnerability, tracked as CVE-2023-1389, was patched a few months later, in March 2023.
Working in Russia’s interest
However, a year later, in March 2024, Fortinet discovered that attempts at leveraging this flaw rose beyond 40,000 and up to 50,000 a day. Apparently, multiple groups are doing it at the same time:
“Recently, we observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt Variant”, Fortinet said in its report.
Different Mirai variants, and a botnet named “Condi” have been identified as going after TP-Link routers since the vulnerability was first disclosed.
Mirai is considered one of the largest and most disruptive botnets out there.
Hackers are always on the lookout for vulnerable, internet-connected endpoints, such as smart home devices, smart speakers, routers, computers, and similar. When they find such devices, they infect them with malware that gives them the ability to run certain commands. The most popular use case is Distributed Denial of Service (DDoS) attacks, in which the compromised machines are tasked with sending meaningless traffic towards a single entity.
Due to the sheer number of traffic requests, the entity is unable to process them all – including legitimate traffic – and crashes, hence the name – denial of service.
To make sure your endpoints are not assimilated into a malicious botnet and used in DDoS attacks, apply the latest patches and firmware updates to all internet-connected devices and make sure they’re protected with a strong password.
Via BleepingComputer