April 17, 2024 at 10:22AM
Multiple botnets are exploiting a command-injection flaw in TP-Link Archer AX21 routers for DDoS attacks. Despite a patch being available for CVE-2023-1389, threat actors are using unpatched devices to deploy botnets like Moobot, Miori, Agoent, Gafgyt, and variants of Mirai. Fortiguard advises applying patches and vigilance against DDoS botnets targeting IoT environments.
From the meeting notes:
– There is a critical command-injection vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers affecting devices Version 1.1.4 Build 20230219 or prior, tracked as CVE-2023-1389.
– Threat actors are using various botnets (Moobot, Miori, AGoent, Gafgyt variant, and Mirai variant) to exploit this vulnerability for distributed denial of service (DDoS) attacks and other nefarious activities.
– The exploit allows unauthenticated command-injection via the ‘Country’ field in the router’s management interface, opening the device to compromise and unauthorized access.
– Botnets such as Agoent, Gafgyt variant, Moobot, and various Mirai variants are actively targeting unpatched devices to carry out DDoS attacks, retrieve and execute files, establish connections with command and control, and conduct brute-force attacks.
– Fortiguard recommends timely patching of affected devices and vigilance against DDoS botnet attacks in IoT environments.
To mitigate these threats, it’s strongly recommended to apply the available patch for affected devices and to follow best practices for securing IoT devices. It’s also important for network administrators to be aware of indicators of compromise provided by Fortiguard to identify potential attacks.