A new Mirai botnet variant targets TP-Link Archer A21

Mirai botnet started exploiting the CVE-2023-1389 vulnerability (aka ZDI-CAN-19557/ZDI-23-451) in TP-Link Archer A21 in recent attacks.

Last week, the Zero Day Initiative (ZDI) threat-hunting team observed the Mirai botnet attempting to exploit the CVE-2023-1389 vulnerability (aka ZDI-CAN-19557/ZDI-23-451, CVSS v3: 8.8) in TP-Link Archer AX21 Wi-Fi routers.

The CVE-2023-1389 flaw is an unauthenticated command injection vulnerability that resides in the locale API of the web management interface of the TP-Link Archer AX21 router. The root cause of the problem is the lack of input sanitization in the locale API that manages the router’s language settings. A remote attacker can trigger the issue to inject commands that should be executed on the device.

The vulnerability was first reported to ZDI during the Pwn2Own Toronto 2022 event. Working exploits for LAN and WAN interface accesses were respectively reported by Team Viettel and Qrious Security. 

In March, TP-Link released a firmware update to address multiple issues, including this vulnerability.

ZDI reported that threat actors started exploiting the flaw after the public release of the fix, the attacks initially focused on Eastern Europe.

Threat actors are exploiting the flaw by sending a specially crafted request to the router that contains a command payload as part of the country parameter. The attackers send a second request that triggers the execution of the command.

“Starting on April 11th, we began seeing notifications from our telemetry system that a threat actor had started to publicly exploit this vulnerability.” reads the report published by ZDI. “Most of the initial activity was seen attacking devices in Eastern Europe, but we are now observing detections in other locations around the globe.”

The Mirai botnet is exploiting the issue to gain access to the device and downloads the malicious payload for the targeted architecture.

The Mirai botnet that is behind the attacks observed by ZDI is focused on launching DDoS attacks, it has the capability to target Valve Source Engine (VSE).

“Among the interesting functions is a TSource Engine Query attack functionality. This can be used to launch a Valve Source Engine (VSE) distributed denial-of-service (DDoS) attack against game servers.” continues the report.

This botnet version also supports a feature to mimic legitimate traffic, making it harder to separate malicious DDoS traffic from legitimate network traffic.

ZDI has provided Indicators of compromise (IoCs) for this campaign.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mirai botnet)