TP-Link wireless router vulnerability makes your home network a part of new botnet

Cybersecurity specialists report the detection of Manga, a new variant of the Mirai botnet focused especially on the compromise of TP-Link routers using the CVE-2021-41653 vulnerability. The flaw affects TL-WE840N EU routers, which run outdated firmware versions.

The flaw was described as a post-authentication remote code execution (RCE) bug, the exploitation of which would allow remote threat actors to execute arbitrary commands through payloads specially designed for delivery into the IP address input field.

About the botnet, the researchers mention that Manga, also known as Dark, works thanks to the exploitation of the flaw, which allows to search and execute a malicious script that in turn downloads the payloads to complete the attack. The botnet owes its name to a token string that it previously included in the SSH/telnet commands, and to the binaries used by hackers (dark.arm, dark.mips and others).   

In the middle of this year, the operators of this malware began targeting Cisco, OptiLink and other devices, although the security risk grew shortly after the public disclosure of a flaw. As part of the newly identified attacks, botnet operators updated the malware to add an exploit for CVE-2021-41653, in an attempt to infect potentially vulnerable devices before they received updates.

The good news is that exploiting the flaw requires authentication, so attacks can be prevented by replacing default credentials with sufficiently secure security keys. As a curious thing, once it has run on a vulnerable device, botnet malware can prevent other threats from infecting the device, blocking connections to commonly exploited ports.

Based on commands received from the malicious C&C, it is believed that the botnet can launch multiple variants of denial of service (DoS) attack. The main recommendation for users is to keep their routers always updated to the latest possible version, in addition to using secure security keys.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.