A command injection vulnerability, disclosed last year and documented as CVE-2023-1389, was identified and patched in the TP-Link Archer AX21 (AX1800) routers. According to a recent report from the Cato CTRL team, unpatched TP-Link Archer routers have become the focus of a new botnet campaign called Ballista, resulting in over 6,000 impacted devices globally. CVE-2023-1389 was a high-severity vulnerability (CVSS 8.8) in TP-Link Archer routers. Proof-of-concept exploit code was available soon after the security advisories became public. Multiple reports of exploitation involving several botnets, including three Mirai variants, Condi, and AndroxGh0st, targeted unpatched devices. According to Cato CTRL’s report, this Ballista campaign was first identified earlier this year on January 10, and the most recent exploitation attempt was recorded on February 17.
This botnet uses a bash script dropper to install malware on TP-Link Archer routers, which allows remote code execution (RCE) and denial-of-service (DoS) attacks. Researchers link Ballista to an Italian-based threat actor based on the Italian-language code strings and an IP address traced to Italy. The botnet seems to be undergoing active development, as attackers now utilize domains from the Tor network. This modification improves the botnet’s stealth, making tracking and disruption more challenging.
The malware establishes a TLS-encrypted command and control (C2) channel on port 82, allowing attackers to gain complete control over compromised devices after successful deployment. It can execute shell commands, extract sensitive files, and conduct large-scale cyberattacks. Furthermore, the malware can terminate earlier versions of itself and erase its presence once it begins execution.
A search on Censys, an attack surface management platform, showed over 6,000 vulnerable TP-Link routers, indicating the botnet remains active. The botnet has primarily targeted manufacturing, healthcare, technology, and service industries across the U.S., Australia, China, and Mexico. Users should upgrade their device firmware as per the vendor’s instructions. Keeping firmware updated and implementing network security best practices is crucial to preventing large-scale cyberattacks.
