Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A botnet taking advantage of a vulnerability in TP-Link Archer routers is being used to target manufacturing, healthcare, and technology organisations.
Security researchers have observed a global botnet campaign targeting a vulnerability in TP-Link Archer routers spreading itself over the internet.
Analysts at Cato CTRL first observed the campaign on 10 January, with the most recent activity recorded on 17 February.
The botnet spreads itself via the remote code execution bug CVE-2023-1389, and the initial payload includes a bash script malware dropper, which establishes an encrypted command and control channel on port 82 to control the compromised router. This can perform shell commands for further remote execution and denial-of-service attacks, while the malware can also attempt to read files on the router’s network.
“Cato CTRL assesses with moderate confidence that this campaign is linked to an Italian-based threat actor, based on the IP address location (2.237.57[.]70) and supported by Italian strings found within the malware binaries,” Cato CTRL’s researchers said in an 11 March blog post.
“Due to the Italian links, and the targeted TP-Link Archer routers, we have named the botnet ‘Ballista’ as a reference to the ancient Roman weapon.”
According to Cato CTRL, there are currently 6,000 vulnerable internet-facing devices, and the botnet is still active. Its targets include organisations in the healthcare, manufacturing, and technology sectors in Australia, China, the United States, and Mexico.
How it works
CVE-2023-1389 is a vulnerability in the router’s web management interface that allows unauthenticated command execution.
The botnet injects an initial payload that downloads and runs a shell dropper that, in turn, downloads and runs malware binaries on the target device. Once run, the dropper deletes itself and moves to other directories on the local network, where it will continue to spread.
The malware is capable of removing itself to avoid detection, reading files on the network, and running further shell commands when directed by the C2 server, as well as running denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.
Cyber Daily has reached out to TP-Link for comment.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
