TP-Link routers under attack from Dark.IoT botnet
The operators of a botnet known as Manga, Dark Mirai, and Dark.IoT are currently abusing a recently disclosed vulnerability to hijack TP-Link routers and add them to their network of hacked devices.
According to security firm Fortinet, Dark.IoT operators are most likely using default passwords to access devices and use Kamilló’s bug to gain full control over unpatched TP-Link TL-WR840N routers.
While there are several DDoS botnets targeting routers that are currently active today, Fortinet said it’s been tracking this particular threat because its operator is one of the most active botnet developers today.
Fortinet researcher Joie Salvio said that since February this year, when the Dark.IoT botnet was first spotted in attacks, this botnet has constantly weaponized recently disclosed vulnerabilities to hijack devices as soon as details about security flaws were published online.
Other attacks also targeted Cisco, Tenda, DLink, and MicroFocus routers, according to Juniper Labs, while other campaigns targeted SonicWall, Netis, and Yealink devices, according to Palo Alto Networks.
“Throughout its life, this ongoing campaign has been very active in targeting newly discovered vulnerabilities,” Salvio said today. “In fact, right before this blog was published, our monitoring system encountered yet another updated variant that we are currently investigating.”
Just like all Mirai-based botnets, Dark.IoT is capable of launching distributed denial of service (DDoS) attacks and using infected systems as proxies to relay malicious traffic. While Fortinet hasn’t reported any active DDoS attacks coming from this botnet, Salvio said there are extensive DDoS functions in the code to perform a wide array of DDoS attack types.
Salvio recommended that TP-Link owners using the vulnerable TL-WR840N model update their firmware to the latest version.