Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Surging Condi Botnet Campaign Hits Unpatched TP-Link Routers

Stresser/Booter Service's Mirai-Based Botnet Sample Only Spreads via Single Flaw
Surging Condi Botnet Campaign Hits Unpatched TP-Link Routers
TP-Link Archer AX21 (Image: TP-Link)

A stresser/booter service selling website disruptions via a Mirai-based botnet called Condi is the latest to target consumer-grade Wi-Fi routers running unpatched firmware.

See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce

A threat actor has advertised the Condi botnet through a "Condi Network" Telegram channel launched in May 2022 and is monetizing the service by offering distributed denial-of-service attacks as well as selling the source code for the botnet itself, security researchers at cybersecurity firm Fortinet reported.

Recent versions of the botnet source code have been updated to target TP-Link Archer AX21 - aka AX1800 - routers that remain vulnerable to CVE-2023-1389, according to the FortiGuard Labs research team. The bug allows "an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request," according to the U.S. National Vulnerability Database.

The bug is present in TP-Link Archer AX21 firmware versions prior to 1.1.4 build 20230219.

The TP-Link flaw became public knowledge during the Pwn2Own competition last December in Toronto, when three different teams independently exploited the flaw via either LAN or WAN. The teams also tipped off China-based TP-Link to the flaw, and in March the vendor updated the device firmware to patch the flaw.

In April, researchers from Trend Micro's Zero Day Initiative reported that CVE-2023-1389 had been "added to the Mirai botnet arsenal." Devices in Eastern Europe appeared to fall victim first, but infections have already spread outside the region.

Mirai-Based Botnets Power On

Numerous versions of Mirai are in the wild, and routers remain one of their top targets. Last month, security researchers warned that a flaw in numerous Zyxel network devices, fixed via an update released in April, was being exploited at a massive scale.

Mirai first appeared in 2016, thanks to three gamers designing a botnet that could infect a large number of internet of things devices by using their default or hard-coded credentials. While the original Mirai coders pleaded guilty to federal charges in 2017, someone leaked the Mirai source code online, and since then many different attackers have continued to adapt and use it.

They include the operator of Condi, who has already iterated the botnet's source code multiple times. Fortinet's teardown of the code found that the malware not only attempts to deactivate rival botnet code but also aims "to kill off older versions of Condi currently running on an infected device together with selected system processes," including binaries that could be used to shut down or reboot the system, since this would eradicate the Mirai infection.

Fortinet researchers said the latest version of Condi abounds with serious errors "likely to wreak havoc and prevent the infected device from functioning correctly if the malware happens to terminate system processes."

The original Mirai malware possessed the ability to spread itself to dozens of different types of IoT devices still in their default configuration. Subsequently, many versions of Mirai have been updated to target known vulnerabilities in a range IoT devices.

Target of Sample: Single Flaw

Fortinet's researchers said that while versions of Condi previously seen in the wild also targeted a laundry list of devices with known vulnerabilities, the fresh sample they found only scans for CVE-2023-1389.

"Unlike most DDoS botnets, this sample does not propagate by trying different credentials," the firm reported. "Instead, it embeds a simple scanner modified from Mirai's original telnet scanner to scan for any public IPs with open ports 80 or 8080 - commonly used for HTTP servers - and then sends a hard-coded exploitation request to download and execute a remote shell script … which will infect the device with Condi if it is a vulnerable TP-Link Archer AX21 device."

Seeing a Mirai-based sample only target a single vulnerability "is a bit unusual, but not unheard of," said Joie Salvio, a senior threat researcher at FortiGuard Labs. "Usually they would target several vulnerabilities and also implement telnet or SSH credential brute-forcing to increase the chance of spreading." The attackers' rationale for only hitting the single flaw isn't clear, but could involve a belief that the single vulnerability is very widespread, he said.

The malware sample reaches out to a command-and-control network running on a subdomain of a domain that was previously mentioned tied to the Condi Network Telegram channel, according to Fortinet's researchers. Potentially, this means the Condi operator, rather than someone who purchased the Condi source code and is running their own version of the DDoS botnet, is behind these attacks.

"We cannot conclusively prove the ownership of that domain, since its Whois information is privacy-protected," Salvio told Information Security Media Group.

Fortinet published a list of URLs that infected routers hail to download the remote shell script, as well as two known command-and-control server addresses, all of which can be blocked to defend against this particular Condi sample.

June 22, 2023 15:45 UTC: This story has been updated to include comments from Fortinet's Joie Salvio.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.