Thousands of TP-Link Routers Have Been Infected By a Botnet To Spread Malware (tomsguide.com) 37
The Ballista botnet is actively exploiting a high-severity remote code execution flaw (CVE-2023-1389) in TP-Link Archer AX-21 routers, infecting over 6,000 devices primarily in Brazil, Poland, the UK, Bulgaria, and Turkey. Tom's Hardware reports: According to a new report from the Cato CTRL team, the Ballista botnet exploits a remote code execution vulnerability that directly impacts the TP-Link Archer AX-21 router. The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked as CVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in the Mirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks.
Ballista's most recent exploitation attempt was February 17, 2025 and Cato CTRL first detected it on January 10, 2025. Of the thousands of infected devices, the majority of them are concentrated in Brazil, Poland, the United Kingdom, Bulgaria and Turkey; with the botnet targeting manufacturing, medical/healthcare, services and technology organizations in the United States, Australia, China and Mexico.
Ballista's most recent exploitation attempt was February 17, 2025 and Cato CTRL first detected it on January 10, 2025. Of the thousands of infected devices, the majority of them are concentrated in Brazil, Poland, the United Kingdom, Bulgaria and Turkey; with the botnet targeting manufacturing, medical/healthcare, services and technology organizations in the United States, Australia, China and Mexico.
Router (Score:3)
I do not trust home devices for security. I built a router running pfSense. Everything is behind this, and I have rules in place to prevent stray data from escaping.
I also put in PiHole for general DNS filtering (pfSense has this ability too).
People don't care, but I do.
Re: Router (Score:5, Insightful)
Your router is a home device.
Re: (Score:2)
is it? Just because it is in my "home" and not at my "business"?
Re: (Score:2)
Did you build it out of high grade hardware? The really real stuff is built different. At least tell me you sprung for an industrial case :)
I'm not talking down on using commodity hardware, I've built a bunch of routers out of PCs back when power was cheaper. (I also used to have a Cat5k, but power was never really cheap enough to justify running that fucker.) I'm still using a WRT1200AC, which is absolutely homey and not at all built up to real Cisco hardware standards. That's of course assuming they still
Re: (Score:3)
Your router is a home device.
I understood "home device" to mean "consumer grade device" as opposed to prosumer or enterprise device. A roll-you-own pfSense install isn't really consumer.
Re: (Score:2)
If it's based on retail hardware, and especially with free (little f) software, it's home grade.
I have nothing against home grade hardware. I have owned a fairly broad array of enterprise grade stuff (starting with a Sun 3/260 which I upgraded to a SPARC) and I have also owned a whole lot of different PCs starting with the 5150, and in my opinion there is not too much difference at this point for a lot of it. But serious network hardware is really different stuff, if anyone's still building it like they use
Re: (Score:2)
If it's based on retail hardware, and especially with free (little f) software, it's home grade.
I have nothing against home grade hardware. I have owned a fairly broad array of enterprise grade stuff (starting with a Sun 3/260 which I upgraded to a SPARC) and I have also owned a whole lot of different PCs starting with the 5150, and in my opinion there is not too much difference at this point for a lot of it. But serious network hardware is really different stuff, if anyone's still building it like they used to anyway.
Interesting conversation. Kind of refreshing for Slashdot these days.
I think there's a distinction that's maybe worth making here though between hardware and software. Your typical home hardware from D-Link, TP-Link, Linksys and the like is poor. Relying on some crappy AC adapter and bottom-of-the-barrel components gives you gear that's got a 50/50 chance of frying in a year or two. Thing is the software's trash too.
On the other hand, you can buy gear from HPE or Cisco and the hardware is generally
Re: (Score:2)
Interesting conversation. Kind of refreshing for Slashdot these days.
I too miss classic Slashdot and prefer the conversations about tech. I am simply unwilling to let certain things go on this site, which despite (*gestures around*) is still important to me. And clearly it's important and this is a valid way to behave in the eyes of sufficient others as well, because I still have about a 2:1 ratio of fans to freaks and excellent karma...
I think there's a distinction that's maybe worth making here though between hardware and software. Your typical home hardware from D-Link, TP-Link, Linksys and the like is poor. Relying on some crappy AC adapter and bottom-of-the-barrel components gives you gear that's got a 50/50 chance of frying in a year or two. Thing is the software's trash too.
This hardware fairly consistently outlasts expectations like that, which is why I can pick routers up at yard sales. It usually far outlasts
Re: (Score:2)
Unfortunately pfSense isn't immune to these kinds of attack either: https://cve.mitre.org/cgi-bin/... [mitre.org]
Note how many of them are very similar to this TP-Link CVE, in that they require someone inside the network with access to the router's admin interface to make an HTTP request that triggers the exploit.
The key is to stay updated and ideally isolate the router's web interface so that it is not so easily accessible to anyone inside the network.
Upgraded to OpenWRT (Score:5, Informative)
One was an Archer A7, and that was very easy -- used the router's own Web interface to flash an OpenWRT image on to it. The other is an older Archer C7. That one required setting up a TFTP server for the router to pull the OpenWRT image from. But once done, both came up without issue.
Nevertheless, you must read the docs before embarking on this journey. OpenWRT is designed and built by and for technically astute users. You will be expected to understand how the various interfaces in the router connect to each other, and establish routing rules between them. There's a fair bit of it I still don't understand. In my case, however, the default rules were fine for setting up a simple WAP. Since my LAN already has a DHCP server, I also had to be sure to disable the one inside OpenWRT.
From a client perspective, the transition was invisible -- none of the WiFi gear in the house noticed, and kept on working.
OpenWRT also supports roll-back to the factory firmware. If you have a TPLink WiFi router that OpenWRT supports, you may care to give it a look.
Re: (Score:3)
The other is an older Archer C7. That one required setting up a TFTP server for the router to pull the OpenWRT image from.
I'll note that I recently flashed a newer C7 (v5) with OpenWRT for a friend and was able to it straight from the original GUI. Works like a champ.
Re: (Score:2)
It's certainly true that you need to know something about routing in order to set up openwrt. You don't need to know more than the broad concepts though, because you can make use of the default networks (wan and lan) to guide you as they have a well-established relationship. As long as you're connecting your interfaces to those groups correctly, you will only have to do routing rules if you want to let something into your network from outside.
I like to go to yard sales and look routers up on the Table of Ha [openwrt.org]
Re: (Score:2)
Pretty sure these routers run a version of OpenWRT
This exploit was specifically related to the LuCI web interface from OpenWRT. Presumably it was extended by TP-Link
They also fixed the vulnerability before it was disclosed, back at the beginning on 2023.
It doesn't really matter what software your router runs, you must keep it up to date.
Re: (Score:2)
pushback? (Score:4, Interesting)
I would hope that ISP's could be more active in this and run detection sniffers. When they discover a router is "pwned", send a notice to the owner with a short deadline to have it corrected, and if the issue isn't corrected, heavily or completely block the device. Won't work for all types of customers/sites, and has some risk involved. But could be an effective weapon to help protect the internet (or at least constrain attacks some) from DDOS stuff.
Sounds horrible, but I kinda like that project I read about years ago that was sniffing out such routers and using the RCE to actually patch them to close the holes. Whitehat stuff (or maybe that is gray?) Of course, it depends on knowing the various RCEs, how they work, and what could be done.
Re: (Score:2)
How would an ISP detect this?
It looks like the vulnerable endpoint is only accessible from the local network.
They would need to trick their users into visiting a website that then makes HTTP calls to the local network interface of the router.
Re: (Score:2)
Just redirect all web traffic from client to a specifically crafted ISP webpage for "additional security checks". until the router(s) is/are confirmed okay. Most end users wouldn't even notice that something stinks.
Still none the wiser .. (Score:2)
“As reported by BleepingComputer and discovered by the cybersecurity firm ThreatFabric, malware droppers [tomsguide.com] like the newly uncovered SecuriDropper provide hackers with a way to install malicious payloads on compromised devices.”
Here's How (Score:3)
The compromise starts with one of two things.
1.
a.) A Remote Code Execution(RCE) vulnerability in the router's web management interface. Stupid people expose this interface to the internet. But, while more difficult, it is also possible to make users execute the code needed to trigger the vulnerability form inside the network.
b.) Default administrator password on the internet exposed management interface.
2. The "malware dropper" is a series of commands used to install software onto the router that connects i
Re: (Score:3)
> Stupid people expose this interface to the internet.
Someone said that one vector is somehow doing a browser-exploit dance to trigger uPnP to open the management port.
I don't quite understand what they're doing but the obvious second step is for the exploit to signal the C&C so it can immediately hijack the router.
uPnP should be disabled by default but the vendors of $49 routers can't afford calls from XBox users so it's on and leads to so many exploits.
I would have thought CGNAT would have destroye
Re: (Score:2)
You could probably exploit this vulnerability with Javascript. All it requires is a few POST calls to an endpoint
Re: (Score:2)
It's Mario and Giuseppe screwing South American TP-Link users.
Mario, Luigi and Wario. Or, if you prefer, Sollozzo, Barzini, Tattaglia and Don Corleone.
Incompetence On Both Sides (Score:2)
I feel that this is more to do with the incompetence of dirt cheap production(firmware development) and dirt cheap consumers that neither update their firmware nor change their default password.
I may be wrong, but I don't think that this is willful backdooring from TP-Link, as the rumors and stories of government investigation are implying. We saw a very similar scenario with the cheap LinkSys stuff that Cisco was pumping out. Until they started shipping with randomized passwords and automatic firmware upda
Re:Incompetence On Both Sides (Score:5, Interesting)
I know plenty of 'expensive' developers, some with published patents, that have very little clue about security.
I remember one time at a former company where the 2 most "senior" developers did not understand why they needed to protect against SQL Injection in their code since "our servers are behind a Firewall".
In an other case a dev designed a service to remote control self driving cars, on public roads, over HTTP, and he would send the root password over that. He said it was safe since he used Basic Auth. I took a simple TCP dump of the traffic to show the Base64 encoded password. This was done under the approval of someone who is now on the Amazon board of directors. That person told us to not waste time defending against cyber attacks.
In Fairness (Score:3)
I totally agree that good, seasoned, and expensive developers can introduce vulnerabilities just as well as cheap developers. And, I also agree that there are many expensive developers that have no clue about network security, or even software security.
But, I feel that when you're using the cheapest students and interns for developers that you're going to have a higher incidence of these vulnerabilities. I'm pretty sure that TP-Link isn't hiring grads from MIT and Stanford with 10 years experience.
Re: (Score:2)
If flashing them with OpenWRT removes the vulnerability (and makes the router perform better, or at least not worse)... then that seems like a market opportunity for someone to do some value-add for people who don't want to flash their own routers.
If Only (Score:3)
If only it were as "easy" as flashing OpenWRT onto it. Something that only a vanishingly small number of consumer router users can do.
But, it's much more complicated than that. It's especially complicated when openWRT itself is a never-ending-bug-fest of vulnerabilities and exploits.
https://cve.mitre.org/cgi-bin/... [mitre.org]
I think it's a bigger opportunity for NetGear or Linksys/Cisco to bring something similarly inexpensive, but also secure. Ubiquiti thought that they were the ones. But, they used openWRT and prov
Re: (Score:2)
I think it's a bigger opportunity for NetGear or Linksys/Cisco to bring something similarly inexpensive, but also secure.
If 'inexpensive = insecure' what business logic leads you to think 'similalrly inexpensive = also secure'?
Developers and Engineers at those places have families to feed and those families need a roof over their heads. Even setting aside the old chestnut of price gouging, those businesses aren't interested in undercutting themselves, nor should they be. People who pay rent should understand that, at least a little.
Security is entirely reactive; 'expensive and secure' is no better against some of the smarte
Re: (Score:2)
NetGear need to work on making products that function correctly and reliably, rather than look pretty with expensive marketing.
Do not expose management interface to the internet (Score:2)
Re: (Score:2)
Management interfaces on the local network can be accessed by web browsers.
That's going to bypass firewalls and mac filtering.
All it takes is two unauthenticated post requests to this endpoint and the router is exploited. Reading the response from the post isn't required, so cross-site scripting protections don't help either.
You're deluding yourself if you think you can stop these types of vulnerabilities with configuration.
I guess you could lower the risk by changing the management port, so the attacker wo
Insecure by default (Score:3)
We made the mistake of buying a TP-LInk Onada switch for the office.
We use VLANs.
We setup the VLANs.
The switch immediately began sending VLAN 1 traffic to VLAN 2 and vice-versa. Apparently they expect you to setup L3 routing to prevent this? Doesn't this sound like a device which should be recalled and the company fined heavily for falsely claiming VLAN compliant?
Imagine you doing this and you rely on the L3 routing for the VLAN seperation. What about non-IP traffic? What about pretending to be on a different IP network? Does it move you to the other VLAN no matter what port you are on?
We sent it back and got a TRENDnet instead.
Took us most of the day to figure out the switch was mixing VLAN traffic between VLANs as if they were all one single VLAN.
If we could figure out how to charge them for false product and associated costs to recover from it?
Re: (Score:3)
Meh... my BE 19000 just popped this up:
```
Authorize Third-Party Services
Once enabled, we will share your clients' information to a third-party services to identify your clients better. We won't save your private information.
```
Like I really believe that...
Re: (Score:2)
Your local consumer protection laws would cover this.
You'd be claiming against the company that sold it to you, not TP-Link directly.
If you bought it internationally, you're completely out of luck.
If you bought it for business purposes, you may have difficulties, depending on your local laws.
Re: (Score:2)
I've used Omada switches before and the VLAN stuff works just fine. It sounds like you didn't configure it correctly because it works at L2. In fact if you were getting traffic going between VLANs then the only officially supported way of doing it is a common L3 device handling that.
My guess would be that your gateway router was misconfigured.
Consumer Wifi (Score:2)
I recently changed ISPs and they provided me with a TP-Link router. It's actually pretty nice, good range and reliable, although it's infuriating that management capabilities all have to be done a phone app... that you have to create a cloud account for. There is a web interface but it's very basic. I think I'm going to have to buy a replacement but the landscape seems bleak. TP-Link fills the top lists, and I don't want a "mesh pod," thank you very much...