According to a new report from the Cato CTRL team, the Ballista botnet exploits a remote code execution vulnerability that directly impacts the TP-Link Archer AX-21 router.
The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked as CVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in the Mirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks.
[…]
The attack sequence is as follows: it starts with a malware dropper, then a shell script designed to fetch and execute the main binary on the target system for various system architectures. When executed, the malware establishes a command-and-control (C2) channel on port 82 to take control of the device.
This allows the malware to run shell commands to conduct further remote code execution and Denial of Service (DoS) attacks; it will also attempt to read sensitive files on the system.
Supported commands include flooder (triggers a flood attack), exploiter (which exploits CVE-2023-1389), start (an optional parameter used with the exploiter to start the module), close (stops the module triggering function), shell (runs a Linux shell command on the local system) and killall (used to terminate the service).
The Ballista malware is additionally capable of terminating previous instances of itself – and erasing its own presence once execution begins. It’s designed to spread to other routers by attempting to exploit the flaw.
[…]
Source: Thousands of TP-Link routers have been infected by a botnet to spread malware | Tom’s Guide
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft