Botnets Continue Exploiting TP Link (CVE-2023-1389) Command Injection Vulnerability

A critical remote code execution vulnerability (CVE-2023-1389) was identified in TP-Link Archer AX21 (AX1800) routers with firmware version 1.1.4 Build 20230219 or prior, allowing attackers to inject malicious code and gain complete control of the affected devices. 

Even though a fix was released last year, recent attacks targeting this vulnerability have been observed, where the attackers are using various botnets, including Moobot, Miori, AGoent, and Gafgyt Variant, to exploit the vulnerable devices. 

 IPS telemetry

A vulnerability (CVE-2023-1389) in TP-Link Archer AX21 routers allows attackers to inject commands through a crafted country parameter, which is used by the router’s “set_country” function and isn’t properly sanitized, enabling attackers to execute arbitrary commands with root privileges. 

Vulnerability Proof-Of-Concept

A specific malware, AGoent, exploits this vulnerability by fetching a script that retrieves and executes a Linux ELF file suited for the target architecture and then creates a new user account with random credentials and sends them to its C&C server. 

Malware Execution

The Gafgyt variant infects Linux devices and turns them into DDoS bots as it downloads a script “bins.sh” to initiate the attack and retrieves an executable file “rebirth.x86” for execution. 

Gafgyt transmits compromised device information to its C&C server upon connection and waits for commands, which include launching UDP/TCP flood attacks, sending Xmas attacks, defining attack packet content, and stopping ongoing attacks. 

The script file “bins.sh”

Moobot, a Mirai variant, fetches a script from a specific IP to download an ELF file for its architecture, and after execution, Moobot deletes itself, hides traces, and launches DDoS attacks upon receiving commands from its C2 server. 

Another Mirai variant downloads a script and a compressed ELF file, displays a message, terminates network analysis tools, and sends data to its C2 server, which can initiate DDoS attacks with specific parameters (duration, target IP, port) based on C2 server instructions.

 Packet analysis tool list

Miori and Condi are Mirai variants that share similar modules but have different functionalities, where Miori fetches a batch script and ELF files using HTTP and TFTP, decrypts configuration with an XOR key, and sends data to a C2 server. 

Condi’s attacking methods

Condi retrieves its downloader script using multiple protocols and executes it with a parameter upon receiving a command, deletes system shutdown and reboot binaries and terminates processes matching predefined names.

Both variants demonstrate updated attacking methods. 

According to Fortinet, the Indicators of Compromise (IOCs) provided include a list of URLs, domain names, IP addresses, and file hashes, which can be used to identify potential security incidents such as malware infections or data breaches.  

An investigator  can use these IOCs to search network traffic logs, endpoint detection and response (EDR) tools and forensic artifacts to identify compromised systems.  

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here