Hackers Exploit TP-Link N-Day Flaw to Build Mirai BotnetQuick Turnaround of New Vulnerability Shows Hackers Reacting Quickly to Patches
Hackers are attempting to infect a consumer-grade Wi-Fi router model with Mirai botnet malware following the discovery of zero-days in the device in a December hacking competition.
Researchers from the Trend Micro's Zero Day Initiative said telemetry from Eastern Europe indicates that Mirai operators are exploiting a flaw in the TP-Link Archer AX21 firmware. The bug, CVE-2023-1389, allows attackers to inject a command into the router web management interface. A handful of teams competing in the December 2022 Pwn2Own competition in Toronto identified the flaw. TP-Link released a patch in mid-March.
The Mirai botnet is a legacy of three Minecraft players who in 2016 unleashed the botnet, which infects internet of things devices running on an ARC processor, as part of an intended protection racket against DDoS attacks. Someone posted the code online, leading cybercriminals to assemble their own Mirai botnets. The original coders pleaded guilty to federal charges in 2017 and cooperated with the FBI.
The Zero Day Initiative researchers said infections made with the newfound TP-Link Archer flaw are spreading beyond Eastern Europe into other locations around the globe. Analysis shows this version of Mirai takes pain to imitate legitimate traffic, "making it more difficult to separate DDoS traffic from legitimate network traffic."
The speed of adoption of the flaw as a vector for the botnet malware is also notable, the researchers said. "Seeing this CVE being exploited so quickly after the patch being released is a clear demonstration of the decreasing 'time-to-exploit' speed that we continue to see across the industry."