Image: Alina Grubnyak via Unsplash

Mirai botnet hackers targeting TP-Link router zero-day vulnerability

Hackers are using a new zero-day vulnerability to attack a line of TP-Link routers based primarily in Eastern Europe and add them to the Mirai botnet.

The vulnerability – CVE-2023-1389 – was discovered last December at the Pwn2Own Toronto event. It affects the TP-Link Archer AX21, a popular brand of router available to most consumers for under $90. It opens the door for the infamous Mirai malware, which compromises a variety of devices and adds them to a botnet — a network of infected computers that can be used to knock websites and other services offline.

Major router manufacturers like the Hong Kong-based TP-Link have long been a target of Mirai hackers, who frequently use new vulnerabilities to exploit devices and add them to their botnet.

The Hong Kong-based company patched the vulnerability in March, but now a team from Trend Micro’s Zero Day Initiative (ZDI) has discovered “that exploit attempts using this CVE were detected in the wild.”

“Starting on April 11, we began seeing notifications from our telemetry system that a threat actor had started to publicly exploit this vulnerability,” ZDI said in a blog post.

“Most of the initial activity was seen attacking devices that are in Eastern Europe, but we are now observing detections in other locations around the globe.”

The researchers found several ties to Mirai infrastructure and tools used by the hackers to take over devices.

One specific feature is a functionality that allows the device to be used in distributed denial-of-service (DDoS) attacks against game servers. DDoS attacks flood targeted websites with junk traffic, making them unreachable.

The hackers also use other features to make traffic from the device look legitimate, making it more difficult to identify the DDoS traffic.

But what alarmed ZDI researchers most was how quickly the vulnerability was added to the hackers’ toolkit.

“Seeing this CVE being exploited so quickly after the patch being released is a clear demonstration of the decreasing ‘time-to-exploit’ speed that we continue to see across the industry,” they wrote.

“That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT [internet-of-things] devices to maintain their foothold in an enterprise.”

Researchers are constantly discovering new variants of the Mirai malware, most recently in February. The botnet was first discovered in August 2016 and has been used to facilitate some of the most disruptive distributed DDoS attacks on record.

That year, it used more than 100,000 infected devices to launch a DDoS attack on the Domain Name System provider Dyn.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.