Hackers have recently launched a new botnet campaign targeting TP-Link routers, with more than 6,000 devices currently infected, according to a report by The Cato CTRL team. The Ballista botnet is the tool being used in this malicious campaign, exploiting a remote code execution (RCE) vulnerability specifically in the TP-Link Archer AX-21 model.
The way the Ballista botnet works is that it first downloads malware onto the infected device and then runs a script that receives and executes a desired binary file. After that, it sets up a control channel (C2) on port 82, giving the hackers full control over the infected router. This means that they can run remote commands, launch DDoS attacks, access configuration files, cover their tracks, and spread the infection to other routers.
Most of the thousands of infected devices are located in countries such as Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. The targets of these attacks are mainly medical or technology companies in countries like the United States, Australia, China, and Mexico. Interestingly, the IP address and language used in the attacks were Italian, leading researchers to believe that the hackers responsible may have originated from Italy. However, the original IP address is no longer in use, replaced by a new version that utilizes TOR domains, indicating that the malware is still actively being developed.
To prevent further infections and protect vulnerable devices, researchers strongly advise all TP-Link Archer AX-21 router users to immediately install the recommended patch provided by the official website of the company. This patch will help secure the device and prevent it from being exploited by the Ballista botnet or any other similar threats.
This incident illustrates the ongoing challenges faced by both individual users and organizations in securing their network infrastructure against sophisticated cyber threats. As hackers continue to evolve their tactics and exploit vulnerabilities in various devices, it becomes crucial for users to stay vigilant, apply security updates promptly, and implement best practices to safeguard their digital assets.
In conclusion, the recent outbreak of the Ballista botnet targeting TP-Link routers serves as a stark reminder of the constant cybersecurity risks present in the digital world. By taking proactive measures and staying informed about emerging threats, users can better protect themselves and mitigate the impact of potential attacks on their devices and networks.