The infamous Mirai botnet, known for launching a series of destructive DDoS attacks, has recently enhanced its capabilities by exploiting a recently patched vulnerability in TP-Link Archer AX21 Wi-Fi routers.
The vulnerability, identified as CVE-2023-1389 and assigned a CVSS score of 8.8, was independently discovered and disclosed by multiple teams during the Pwn2Own Toronto competition.
In December 2022, at the Pwn2Own Toronto hacking event, researchers leveraged the vulnerability and breached the TP-Link Archer AX21 Wi-Fi routers through LAN and WAN interface access, with two separate hacking teams succeeding in doing so.
After the discovery of the flaw, it was reported to TP-Link in January 2023.
TP-Link then released a new firmware update last month to address the vulnerability.
The vulnerability known as CVE-2023-1389 is a severe unauthenticated command injection flaw in the locale API of the web management interface of the TP-Link Archer AX21 router.
According to BleepingComputer, the vulnerability has a high-severity score of 8.8, according to the CVSS v3 rating system.
Recently, the Zero Day Initiative (ZDI) identified exploitation attempts in the wild, which began surfacing last week in Eastern Europe and then spreading globally.
As Duo reports, Peter Girnus, a senior threat researcher with Trend Micro’s Zero Day Initiative, stated that the recent exploitation of the CVE-2023-1389 vulnerability shortly after the release of the patch highlights the industry’s decreasing “time-to-exploit” rate.
Nevertheless, Girnus added that this pattern is not new to the maintainers of the Mirai botnet, who are recognized for rapidly exploiting IoT devices to keep control over an organization.
This specific Mirai version specializes in initiating DDoS attacks and specifically targets game servers, possessing the capability to launch attacks against Valve Source Engine (VSE).
What sets this new malware version apart is its ability to imitate genuine network traffic, causing difficulties for DDoS mitigation solutions to differentiate between legitimate and malicious traffic, which renders it more challenging to filter out unwanted traffic effectively.
TP-Link attempted to fix the issue on February 24, 2023, but the attempt was incomplete and failed to prevent exploitation.
However, the company later released a firmware update, version 1.1.4 Build 20230219, on March 14, 2023, that addresses the vulnerability posed by CVE-2023-1389.
Users of the Archer AX21 AX1800 dual-band WiFi 6 router can download the update from TP-Link’s website for their router’s hardware version.
Owners of TP-Link routers should be aware of the signs of infection, which include overheating, internet disconnections, unexpected changes to the network settings, and resetting of admin user passwords.