Cato Networks found some evidence that the threat actor involved deploys tools to potentially steal data from infected networks.The IP address tied to the threat actor is no longer responding, the researchers said, adding that they have found a new variant of the malware on the code repository GitHub. Researchers at cybersecurity firm Cato Networks said that during a recent investigation into router vulnerabilities, they discovered the botnet infecting TP-Link Archer routers. The hacker behind the malware, who they believe is based in Italy, has been exploiting a firmware vulnerability tracked as CVE-2023-1389 to allow the botnet to “spread itself automatically over the Internet” through the unpatched TP-Link devices. Ofek Vardi, security engineer at Cato Networks, said the researchers are moderately confident the hacker is based in Italy because of the IP address location of the command and control (C2) server and because of Italian-language strings found within the malware’s code. The Cybersecurity and Infrastructure Security Agency previously confirmed that CVE-2023-1389 is being exploited in the wild and ordered U.S. civilian agencies to patch the bug The documentation for the vulnerability and the patch emphasize the TP-Link model known as AX21 or AX1800. We saw it evolving, as within a short timeframe, the threat actor changed the initial dropper to allow stealthier connections to the C2 server through the Tor network,” said Matan Mittelman, threat prevention team leader at Cato Networks. For years, critical vulnerabilities in TP-Link routers have been abused by hackers who use them as cover for subsequent attacks or add them to powerful botnets that disrupt websites with bogus traffic. U.S. officials in recent months have raised alarms about TP-Link routers specifically because they are repeatedly being exploited by Chinese hackers who have used them to breach telecommunications giants and critical infrastructure. “Over the years, major IoT botnets like Mirai and Mozi have proven how easily routers can be exploited and threat actors have taken note,” Mittelman said. A model of internet routers marketed to consumers and businesses is being targeted as part of an effort to grow a new botnet known as Ballista. Both Vardi and Mittelman said their findings illustrate why Internet of Things (IoT) devices like routers are constantly targeted by malicious hackers. The researchers declined to comment on whether Italian or European authorities have been notified of the threat actor or the campaign. A search on cybersecurity platform Censys found more than 6,000 vulnerable devices connected to the Internet, they said, adding that the botnet is still active. The malware fully takes over a device and reads configuration files on the system before setting up encrypted links and attempting to spread to other devices automatically by exploiting CVE-2023-1389. The researchers said they named the botnet Ballista as a reference to an ancient Roman weapon and said it has targeted manufacturing, healthcare, services and technology organizations in the U.S., Australia, China and Mexico.
This Cyber News was published on therecord.media. Publication date: Tue, 11 Mar 2025 19:40:08 +0000