Summary: A recent investigation has revealed the emergence of a new botnet named Ballista, targeting consumer-grade TP-Link Archer routers by exploiting a critical firmware vulnerability (CVE-2023-1389). The malware can take over devices, allowing attackers to issue arbitrary commands and potentially steal data, all while spreading itself automatically. Researchers believe the threat actor is based in Italy and that the campaign may still be in its early stages of development.
Affected: TP-Link Routers (specifically AX21/AX1800 model)
Keypoints :
- Bristol researchers found the Ballista botnet infecting TP-Link Archer routers.
- The malware exploits a known firmware vulnerability (CVE-2023-1389) to spread and compromise devices.
- Previous alerts from U.S. officials highlight ongoing security concerns regarding TP-Link routers being targeted by hackers.
- The campaign demonstrates increased sophistication, evolving to utilize encrypted connections via the Tor network.
- More than 6,000 vulnerable devices were identified as part of the ongoing botnet activity.
Source: https://therecord.media/ballista-botnet-tp-link-archer-routers