Ethical Hacking News
A newly discovered botnet known as Ballista has been identified, exploiting an unpatched vulnerability in TP-Link Archer routers. This development highlights the importance of regular software updates and patch management, emphasizing the need for users to take swift action to secure their devices.
The Ballista botnet is exploiting an unpatched vulnerability in TP-Link Archer routers (CVE-2023-1389), allowing remote code execution and command injection.The attack started with unknown threat actors using the flaw to drop Mirai botnet malware in April 2023, followed by other malware families like Condi and AndroxGh0st.The botnet uses a malware dropper and establishes an encrypted C2 channel on port 82 to take control of infected devices.The malware allows for running shell commands, denial-of-service (DoS) attacks, and reading sensitive files on the local system.Over 6,000 devices have been targeted by Ballista, with vulnerabilities concentrated in Brazil, Poland, and other countries.The botnet poses a significant threat to unsuspecting users who have not taken steps to secure their TP-Link Archer routers.
The cybersecurity landscape has witnessed numerous threats in recent years, with new vulnerabilities and exploits emerging at an unprecedented rate. However, a particularly concerning development has come to light regarding the Ballista botnet, which is exploiting an unpatched vulnerability in TP-Link Archer routers. In this article, we will delve into the details of this threat, its impact on unsuspecting users, and what can be done to mitigate it.
The discovery of the Ballista botnet was made by the Cato CTRL team, a renowned cybersecurity organization that specializes in identifying and mitigating threats. According to their findings, the botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389). This vulnerability, which has been unpatched for over a year, can lead to command injection, paving the way for remote code execution.
The earliest evidence of active exploitation of this flaw dates back to April 2023, with unidentified threat actors using it to drop Mirai botnet malware. Since then, it has also been abused to propagate other malware families like Condi and AndroxGh0st. The Ballista campaign was detected by the Cato CTRL team on January 10, 2025, and the most recent exploitation attempt was recorded on February 17.
The attack sequence entails the use of a malware dropper, a shell script ("dropbpb.sh") that's designed to fetch and execute the main binary on the target system for various system architectures such as mips, mipsel, armv5l, armv7l, and x86_64. Once executed, the malware establishes an encrypted command-and-control (C2) channel on port 82 in order to take control of the device.
This allows running shell commands to conduct further RCE and denial-of-service (DoS) attacks. In addition, the malware attempts to read sensitive files on the local system. Some of the supported commands are listed below:
* flooder, which triggers a flood attack
* exploiter, which exploits CVE-2023-1389
* start, an optional parameter that is used with the exploiter to start the module
* close, which stops the module triggering function
* shell, which runs a Linux shell command on the local system
* killall, which is used to terminate the service
Furthermore, it's capable of terminating previous instances of itself and erasing its own presence once execution begins. It's also designed to spread to other routers by attempting to exploit the flaw.
The use of the C2 IP address location (2.237.57[.]70) and the presence of Italian language strings in the malware binaries suggests the involvement of an unknown Italian threat actor, the cybersecurity company said. However, it appears that the malware is under active development given that the IP address is no longer functional and there exists a new variant of the dropper that utilizes TOR network domains instead of a hard-coded IP address.
A search on attack surface management platform Censys reveals that more than 6,000 devices are targeted by Ballista. The vulnerable devices are concentrated around Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. The botnet has been found to target manufacturing, medical/healthcare, services, and technology organizations in the United States, Australia, China, and Mexico.
While this malware sample shares similarities with other botnets, it remains distinct from widely used botnets such as Mirai and Mozi. The researchers noted that the use of an unpatched vulnerability in a popular router brand highlights the importance of regular software updates and patch management.
In conclusion, the Ballista botnet poses a significant threat to unsuspecting users who have not taken steps to secure their TP-Link Archer routers. It is essential for individuals and organizations to take immediate action to protect themselves from this emerging threat.
A newly discovered botnet known as Ballista has been identified, exploiting an unpatched vulnerability in TP-Link Archer routers. This development highlights the importance of regular software updates and patch management, emphasizing the need for users to take swift action to secure their devices.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Ballista-Botnet-A-Looming-Threat-to-Unpatched-TP-Link-Routers-ehn.shtml
Published: Wed Mar 12 04:37:57 2025 by llama3.2 3B Q4_K_M
