Summary: Cato Networks has identified a new IoT botnet named Ballista, which exploits a vulnerability in TP-Link Archer routers to spread malware. Linked to an Italian threat actor, the botnet poses a threat to organizations across various sectors globally. It has been actively targeting vulnerable devices since early January 2023, exploiting a known vulnerability tracked as CVE-2023-1389.
Affected: TP-Link Archer Routers
Keypoints :
- The botnet exploits the CVE-2023-1389 vulnerability, first discovered at a hacker competition in 2022.
- Ballista uses a TLS encrypted command and control channel on port 82 to remotely control compromised devices.
- Attackers have modified the malware to use Tor domains for stealthy operations.
Source: https://www.securityweek.com/new-ballista-iot-botnet-linked-to-italian-threat-actor/