TP-Link routers under attack from Dark.IoT botnet
Image: The Record
Catalin Cimpanu December 9, 2021

TP-Link routers under attack from Dark.IoT botnet

TP-Link routers under attack from Dark.IoT botnet

The operators of a botnet known as Manga, Dark Mirai, and Dark.IoT are currently abusing a recently disclosed vulnerability to hijack TP-Link routers and add them to their network of hacked devices.

The attacks, which began around two weeks ago, are abusing a vulnerability tracked as CVE-2021-41653, disclosed by Hungarian security researcher Matek Kamilló at the start of November.

According to security firm Fortinet, Dark.IoT operators are most likely using default passwords to access devices and use Kamilló’s bug to gain full control over unpatched TP-Link TL-WR840N routers.

While there are several DDoS botnets targeting routers that are currently active today, Fortinet said it’s been tracking this particular threat because its operator is one of the most active botnet developers today.

Fortinet researcher Joie Salvio said that since February this year, when the Dark.IoT botnet was first spotted in attacks, this botnet has constantly weaponized recently disclosed vulnerabilities to hijack devices as soon as details about security flaws were published online.

Some of Dark.IoT’s past attacks included campaigns leveraged against routers using Arcadyan and Realtek-based firmware, days after those issues were disclosed.

Other attacks also targeted Cisco, Tenda, DLink, and MicroFocus routers, according to Juniper Labs, while other campaigns targeted SonicWall, Netis, and Yealink devices, according to Palo Alto Networks.

“Throughout its life, this ongoing campaign has been very active in targeting newly discovered vulnerabilities,” Salvio said today. “In fact, right before this blog was published, our monitoring system encountered yet another updated variant that we are currently investigating.”

Just like all Mirai-based botnets, Dark.IoT is capable of launching distributed denial of service (DDoS) attacks and using infected systems as proxies to relay malicious traffic. While Fortinet hasn’t reported any active DDoS attacks coming from this botnet, Salvio said there are extensive DDoS functions in the code to perform a wide array of DDoS attack types.

Salvio recommended that TP-Link owners using the vulnerable TL-WR840N model update their firmware to the latest version.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.