New Mirai-Based Campaign Targets Unpatched TP-Link RouterFirmware Updated; Users Advised to Patch to Avoid DDOS Attacks
A new ongoing malware campaign is currently being distributed in the wild targeting unpatched TP-link wireless routers by leveraging a post-authenticated remote command execution, or RCE, vulnerability, according to FortiGuard Labs researchers.
The updated variant of the MANGA campaign, also known as Dark, distributes samples based on Mirai’s published source code.
"This Mirai-based Distributed Denial of Service (DDOS) botnet campaign is one that FortiGuard Labs has been actively monitoring. The campaign originally piqued our interest due to the continuous updating of its list of target vulnerabilities - more so than other campaigns we have seen so far," FortiGuard Labs says.
TP-Link has released updated firmware for this affected hardware version, and users are encouraged to update their devices immediately.
A spokesperson for TP-Link was not immediately available to comment.
“The Dark botnet has a track record of quickly weaponizing and integrating command injection and remote command execution vulnerabilities," says Pascal Geenens, director of threat intelligence at security company Radware.
Geenens says that Palo Alto Network's Unit 42 first discovered this Mirai variant in February 2021 and reported that the operators were leveraging pre-authentication remote command execution flaws within hours of the vulnerabilities being disclosed.
At initial discovery, Geenens says, the bot included five known and three unidentified vulnerabilities.
The latest Mirai-based botnet campaign, referred as MANGA by the researchers at FortiGuard Labs, has a token string used to include its SSH/telnet commands, which is also referred as Dark due the filenames used for its binaries, such as dark.arm, dark.mips and others, the researchers say.
They say that the threat actors could have exploited the gap between the time of disclosure of a vulnerability and the application of a patch to compromise IoT devices.
"This gives it a higher potential of spreading, making it more prolific than similar botnets. The latest addition to its constantly growing list of targeted vulnerabilities is TP-Link Home Wireless Routers, particularly the TL-WR840N EU (V5) model. The vulnerability it targets, assigned CVE-2021-41653, was only just discovered on November 12 of this year. And barely two weeks later, on November 22, a sample from the MANGA malware campaign was seen actively exploiting it in the wild," the researchers say.
FortiGuard Labs referred to a blog post by Hungary-based hacker and security researcher Kamilló Matek, who discusses the full details of this vulnerability, which is a vulnerable host parameter that allows authenticated users to execute arbitrary commands in the target device.
"In this case, it is being exploited to force vulnerable devices to download and execute a malicious script, tshit.sh, which then downloads the main binary payloads," the FortiGuard Labs researchers say.
According to the researchers, this exploitation requires authentication to succeed. They advise users to change their default credentials.
With Mirai’s normal infection routine, they say, the executed shell script downloads the main payload binaries and executes blindly in the victim's systems for different architectures and platforms.
"Botnet operators have been favoring easy-to-exploit remote command execution and command injection exploits for years. Most exploits are pre-authentication and easy to implement through HTTP requests. This newly disclosed TP-link vulnerability is a post-authentication RCE vulnerability leveraging the HTTP protocol," Geenens tells Information Security Media Group.
The researchers say that Mirai also prevents other botnets from taking over the device by restricting connections to commonly targeted ports.
"The malware waits for a command from its command-and-control server to perform different variations of a Denial-Of-Service (DOS) attack," the researchers say.
Geenens says that despite it being post-authentication, the vulnerability has to be taken seriously and has the potential to cause damage because of TP-Link’s default credentials "admin:admin."
"We all recall how many devices the original Mirai was able to infect leveraging a list of merely 60 default credentials over simple Telnet," Geenens says.
Other Activities by Dark
Geenens says that in August 2021, researchers at Juniper Threat Labs observed Dark leveraging a supply chain vulnerability affecting IoT devices manufactured by nearly two dozen vendors two days after Tenable had published the vulnerability details.
"The same month, Radware reported that Dark was leveraging a supply chain vulnerability affecting Realtek’s Jungle SDK router. And in September, the operators integrated a vulnerability affecting a dozen IP camera manufacturers and the OMIGOD pre-authentication RCE vulnerability known to affect more than half of all Microsoft Azure cloud instances," Geenens says.
He says that the addition of OMIGOD reminds him of DDoS botnets operators who not only target IoT, but are also capable of attacking cloud computing services.
This new discovery, Geenens says, confirms that Dark's operators are still adding more vulnerabilities and potentially increasing the footprint of their botnet.
Timeline of Events
Matek in his blog post says that TP-Link security team was informed about the vulnerability on Sept. 20, and the company's security team responded after two days, seeking technical details.
On Nov. 1, the TP-Link security team prepared two beta firmware updates, and an issue was fixed in the beta firmware. Later, the CVE was assigned and the firm released the patch on Nov. 12.
"Throughout its life, this ongoing campaign has been very active in targeting newly discovered vulnerabilities. In fact, right before this blog was published, our monitoring system encountered yet another updated variant that we are currently investigating," the researchers say. "FortiGuard Labs will continue monitoring this campaign and provide updates as necessary."