Security News > 2021 > December > Dark Mirai botnet targeting RCE on popular TP-Link router

Dark Mirai botnet targeting RCE on popular TP-Link router
2021-12-09 17:14

The botnet known as Dark Mirai has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017.

According to a report by researchers at Fortinet, who have been following Dark Mirai activity, the botnet added the particular RCE in its arsenal only two weeks after TP-Link released the firmware update.

In the case of Dark Mirai, the actors exploit CVE-2021-41653 to force the devices to download and execute a malicious script, "Tshit.sh," which in turn downloads the main binary payloads via two requests.

The actors still need to authenticate for this exploit to work, but if the user has left the device with default credentials, it becomes trivial to exploit the vulnerability.

Mirai may be gone, but its code has spawned numerous new botnets that cause large-scale problems to unsecured devices.

In August 2021, another Mirai-based botnet targeted a critical vulnerability in the software SDK used by a large number of Realtek-based devices.


News URL

https://www.bleepingcomputer.com/news/security/dark-mirai-botnet-targeting-rce-on-popular-tp-link-router/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-11-13 CVE-2021-41653 Code Injection vulnerability in Tp-Link Tl-Wr840N Firmware
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
network
low complexity
tp-link CWE-94
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
TP Link 322 0 74 168 88 330