Thousands of TP-Link Routers Have Been Infected By a Botnet To Spread Malware (tomsguide.com)
- Reference: 0176676669
- News link: https://it.slashdot.org/story/25/03/11/207242/thousands-of-tp-link-routers-have-been-infected-by-a-botnet-to-spread-malware
- Source link: https://www.tomsguide.com/computing/malware-adware/thousands-of-tp-link-routers-have-been-infected-by-a-botnet-to-spread-malware
> According to a [2]new report from the Cato CTRL team, the Ballista botnet exploits a remote code execution vulnerability that directly impacts the TP-Link Archer AX-21 router. The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked as CVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in the Mirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks.
>
> Ballista's most recent exploitation attempt was February 17, 2025 and Cato CTRL first detected it on January 10, 2025. Of the thousands of infected devices, the majority of them are concentrated in Brazil, Poland, the United Kingdom, Bulgaria and Turkey; with the botnet targeting manufacturing, medical/healthcare, services and technology organizations in the United States, Australia, China and Mexico.
[1] https://www.tomsguide.com/computing/malware-adware/thousands-of-tp-link-routers-have-been-infected-by-a-botnet-to-spread-malware
[2] https://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/
Upgraded to OpenWRT (Score:3)
Arguably, I should have done it sooner, but a couple months ago I reflashed both my TPLink WiFi routers (used simply as WAPs) with OpenWRT.
One was an Archer A7, and that was very easy -- used the router's own Web interface to flash an OpenWRT image on to it. The other is an older Archer C7. That one required setting up a TFTP server for the router to pull the OpenWRT image from. But once done, both came up without issue.
Nevertheless, you must read the docs before embarking on this journey. OpenWRT is designed and built by and for technically astute users. You will be expected to understand how the various interfaces in the router connect to each other, and establish routing rules between them. There's a fair bit of it I still don't understand. In my case, however, the default rules were fine for setting up a simple WAP. Since my LAN already has a DHCP server, I also had to be sure to disable the one inside OpenWRT.
From a client perspective, the transition was invisible -- none of the WiFi gear in the house noticed, and kept on working.
OpenWRT also supports roll-back to the factory firmware. If you have a TPLink WiFi router that OpenWRT supports, you may care to give it a look.
pushback? (Score:2)
I would hope that ISP's could be more active in this and run detection sniffers. When they discover a router is "pwned", send a notice to the owner with a short deadline to have it corrected, and if the issue isn't corrected, heavily or completely block the device. Won't work for all types of customers/sites, and has some risk involved. But could be an effective weapon to help protect the internet (or at least constrain attacks some) from DDOS stuff.
Sounds horrible, but I kinda like that project I read a
Still none the wiser .. (Score:2)
“The attack sequence is as follows: it [1]starts with a malware dropper [tomsguide.com], then a shell script designed to fetch and execute the main binary on the target system for various system architectures.”
“As reported by BleepingComputer and discovered by the cybersecurity firm ThreatFabric, [2]malware droppers [tomsguide.com] like the newly uncovered SecuriDropper provide hackers with a way to install malicious payloads on compromised devices.”
[1] https://www.tomsguide.com/computing/malware-adware/thousands-of-tp-link-routers-have-been-infected-by-a-botnet-to-spread-malware
[2] https://www.tomsguide.com/news/new-android-malware-dropper-sneaks-past-google-protect-yourself-now
Here's How (Score:2)
The compromise starts with one of two things.
1.
a.) A Remote Code Execution(RCE) vulnerability in the router's web management interface. Stupid people expose this interface to the internet. But, while more difficult, it is also possible to make users execute the code needed to trigger the vulnerability form inside the network.
b.) Default administrator password on the internet exposed management interface.
2. The "malware dropper" is a series of commands used to install software onto the router that connects i
Incompetence On Both Sides (Score:2)
I feel that this is more to do with the incompetence of dirt cheap production(firmware development) and dirt cheap consumers that neither update their firmware nor change their default password.
I may be wrong, but I don't think that this is willful backdooring from TP-Link, as the rumors and stories of government investigation are implying. We saw a very similar scenario with the cheap LinkSys stuff that Cisco was pumping out. Until they started shipping with randomized passwords and automatic firmware upda
Re: (Score:2)
I know plenty of 'expensive' developers, some with published patents, that have very little clue about security.
I remember one time at a former company where the 2 most "senior" developers did not understand why they needed to protect against SQL Injection in their code since "our servers are behind a Firewall".
In an other case a dev designed a service to remote control self driving cars, on public roads, over HTTP, and he would send the root password over that. He said it was safe since he used Basic Auth.
In Fairness (Score:2)
I totally agree that good, seasoned, and expensive developers can introduce vulnerabilities just as well as cheap developers. And, I also agree that there are many expensive developers that have no clue about network security, or even software security.
But, I feel that when you're using the cheapest students and interns for developers that you're going to have a higher incidence of these vulnerabilities. I'm pretty sure that TP-Link isn't hiring grads from MIT and Stanford with 10 years experience.
Re: (Score:2)
If flashing them with OpenWRT removes the vulnerability (and makes the router perform better, or at least not worse)... then that seems like a market opportunity for someone to do some value-add for people who don't want to flash their own routers.
Do not expose management interface to the internet (Score:2)
If you are exposing web management interface to the internet you are an idiot. Majority of the routers have this not enabled by default. My personal Archer router even has a white list for mac addresses that can manage it. My older asus router has ability to only enable management from a wired interface so you need to be physically connected to the local network to manage it. In the end security is only as good as the end user. Correctly configured router should present a non existent device to the internet
Router (Score:3)
I do not trust home devices for security. I built a router running pfSense. Everything is behind this, and I have rules in place to prevent stray data from escaping.
I also put in PiHole for general DNS filtering (pfSense has this ability too).
People don't care, but I do.
Re: Router (Score:3)
Your router is a home device.
Re: (Score:2)
is it? Just because it is in my "home" and not at my "business"?