TP-Link’s Archer AX21 routers are under active exploitation by a new threat actor called Condi, which added them to it’s botnet network for a DDoS rental service.
Researchers noted that the Condi gang is also selling it’s botnet source code and other related tools for quick money while exploiting vulnerable routers for it’s network. TP-Link released a patch for this bug and urged users to upgrade immediately.
Targeting Vulnerable TP-Link Routers
Researchers at Fortinet describes the new threat actor in the wild as – Condi – exploiting vulnerable TP-Link’s Archer AX21 routers for making a DDoS botnet. These Wi-Fi routers are infested with a security bug, tracked as CVE-2023-1389 that lets unauthenticated command injection and remote code execution into exposed devices.
The same was reported earlier by ZDI and triggered TP-Link to release a patch update too. But those who didn’t apply this upgrade and expose their AX21 routers to the web are now targeted by the Condi gang for their DDoS-as-a-Service botnet.
Aside from renting this network for malicious purposes, researchers say that the Condi gang is also selling it’s botnet’s source code for quick money. Though this allows for easy rivals, Condi’s approach stands out. It starts by scanning the web for public IPs with open ports 80 or 8080 and installs a remote shell script to infect the new device.
Some samples also indicated the botnet infects through an open ADB port (TCP/5555). Once in, it kills the similar takeover processes of rival botnets(if having any) and it’s own older versions for the new one. Also, since Condi doesn’t have a persistence mechanism between device reboots, it kills the files concerning the shutdown or restarting of said device to attain a longer controlling period.
Thus, if you’re a user of TP-Link’s Archer AX21 router, you’re strongly recommended to upgrade the device for good. Check this TP-Link download centre for the required patch update.
Other Trending News:- News