Security News > 2021 > December > Dark Mirai botnet targeting RCE on popular TP-Link router
The botnet known as Dark Mirai has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017.
According to a report by researchers at Fortinet, who have been following Dark Mirai activity, the botnet added the particular RCE in its arsenal only two weeks after TP-Link released the firmware update.
In the case of Dark Mirai, the actors exploit CVE-2021-41653 to force the devices to download and execute a malicious script, "Tshit.sh," which in turn downloads the main binary payloads via two requests.
The actors still need to authenticate for this exploit to work, but if the user has left the device with default credentials, it becomes trivial to exploit the vulnerability.
Mirai may be gone, but its code has spawned numerous new botnets that cause large-scale problems to unsecured devices.
In August 2021, another Mirai-based botnet targeted a critical vulnerability in the software SDK used by a large number of Realtek-based devices.
News URL
Related news
- Juniper warns of Mirai botnet targeting Session Smart routers (source)
- Juniper warns of Mirai botnet scanning for Session Smart routers (source)
- Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft (source)
- Botnet exploits GeoVision zero-day to install Mirai malware (source)
- D-Link urges users to retire VPN routers impacted by unfixed RCE flaw (source)
- Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-11-13 | CVE-2021-41653 | Code Injection vulnerability in Tp-Link Tl-Wr840N Firmware The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field. | 9.8 |