Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Hackers Exploit TP-Link N-Day Flaw to Build Mirai Botnet

Quick Turnaround of New Vulnerability Shows Hackers Reacting Quickly to Patches
Hackers Exploit TP-Link N-Day Flaw to Build Mirai Botnet
Image: Shutterstock

Hackers are attempting to infect a consumer-grade Wi-Fi router model with Mirai botnet malware following the discovery of zero-days in the device in a December hacking competition.

See Also: Ransomware Response Essential: Fixing Initial Access Vector

Researchers from the Trend Micro's Zero Day Initiative said telemetry from Eastern Europe indicates that Mirai operators are exploiting a flaw in the TP-Link Archer AX21 firmware. The bug, CVE-2023-1389, allows attackers to inject a command into the router web management interface. A handful of teams competing in the December 2022 Pwn2Own competition in Toronto identified the flaw. TP-Link released a patch in mid-March.

The Mirai botnet is a legacy of three Minecraft players who in 2016 unleashed the botnet, which infects internet of things devices running on an ARC processor, as part of an intended protection racket against DDoS attacks. Someone posted the code online, leading cybercriminals to assemble their own Mirai botnets. The original coders pleaded guilty to federal charges in 2017 and cooperated with the FBI.

The Zero Day Initiative researchers said infections made with the newfound TP-Link Archer flaw are spreading beyond Eastern Europe into other locations around the globe. Analysis shows this version of Mirai takes pain to imitate legitimate traffic, "making it more difficult to separate DDoS traffic from legitimate network traffic."

The speed of adoption of the flaw as a vector for the botnet malware is also notable, the researchers said. "Seeing this CVE being exploited so quickly after the patch being released is a clear demonstration of the decreasing 'time-to-exploit' speed that we continue to see across the industry."


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.