Mirai Malware Exploiting High-Severity Flaw in TP-Link Routers
The security landscape of the internet is ever-changing, and hackers always seem to be one step ahead of the game. Recently, a new malware called Mirai has been discovered, which targets certain TP-Link Wi-Fi routers to hijack them into a vast botnet that can later be used for Distributed Denial of Service (DDoS) attacks. In this article, we will discuss the details of this security flaw, how the Mirai malware is exploiting it, and what steps users can take to protect themselves from it.
Contents
Mirai Malware and TP-Link Routers
The Mirai malware is a malicious software that turns internet-connected devices into bots that can be used to conduct DDoS attacks. These attacks involve flooding a website or server with traffic, overwhelming it and causing it to go offline. In recent years, Mirai has been responsible for some of the most massive DDoS attacks in history, including the attack on Dyn, which disrupted internet services across the United States and Europe.
Recently, experts have detected a high-severity security flaw in certain TP-Link Wi-Fi routers that is being used to hijack the devices and recruit them into the Mirai botnet. The flaw, known as CVE-2023-1389, is an unauthenticated command injection flaw in the locale API of the web management interface on the device. This vulnerability has a severity score of 8.8, making it a high-risk security threat.
Zero Day Initiative Report
The Zero Day Initiative (ZDI), a program created to encourage the reporting of zero-day vulnerabilities privately to the affected vendors, recently released a report on this issue. According to the report, since mid-April this year, threat actors have been abusing the CVE-2023-1389 flaw found in TP-Link Archer A21 (AX1800) Wi-Fi routers to deploy the Mirai malware. The hackers first targeted routers in Eastern Europe earlier this month, only to expand globally later on.
TP-Link’s Response
TP-Link was tipped off about the existence of the zero-day in January this year, after two separate research groups demonstrated how to abuse the flaw during the Pwn2Own Toronto hacking event in December 2022. The company first attempted to fix the issue in late February, but the patch was incomplete, and the devices remained vulnerable. However, last month, TP-Link issued a new firmware update that successfully addressed CVE-2023-1389.
IT admins and owners of the Archer AX21 AX1800 Wi-Fi router should make sure their device’s hardware is updated to at least version 1.1.4 Build 20230219. Failure to update the router’s firmware could leave it vulnerable to Mirai attacks.
Symptoms of a Compromised Router
If you suspect that your TP-Link Wi-Fi router may have been compromised, there are several symptoms to look out for. These include frequent disconnections from the internet, changes to the device’s network settings that no one seems to have made, the resetting of administrator credentials, and the inexplicable overheating of the router. If you notice any of these symptoms, you should take immediate action to protect your device.
Conclusion
The discovery of the high-severity security flaw in certain TP-Link Wi-Fi routers is a significant concern for internet users worldwide. Hackers are using this vulnerability to deploy the Mirai malware, which can turn devices into bots for DDoS attacks. TP-Link has released a firmware update that addresses the issue, and users should ensure that their routers are updated to the latest version.
