Security News > 2021 > December > Dark Mirai botnet targeting RCE on popular TP-Link router
The botnet known as Dark Mirai has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017.
According to a report by researchers at Fortinet, who have been following Dark Mirai activity, the botnet added the particular RCE in its arsenal only two weeks after TP-Link released the firmware update.
In the case of Dark Mirai, the actors exploit CVE-2021-41653 to force the devices to download and execute a malicious script, "Tshit.sh," which in turn downloads the main binary payloads via two requests.
The actors still need to authenticate for this exploit to work, but if the user has left the device with default credentials, it becomes trivial to exploit the vulnerability.
Mirai may be gone, but its code has spawned numerous new botnets that cause large-scale problems to unsecured devices.
In August 2021, another Mirai-based botnet targeted a critical vulnerability in the software SDK used by a large number of Realtek-based devices.
News URL
Related news
- Juniper warns of Mirai botnet targeting Session Smart routers (source)
- Juniper warns of Mirai botnet scanning for Session Smart routers (source)
- New Mirai botnet targets industrial routers with zero-day exploits (source)
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks (source)
- Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords (source)
- New botnet exploits vulnerabilities in NVRs, TP-Link routers (source)
- Malware botnets exploit outdated D-Link routers in recent attacks (source)
- 13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks (source)
- Mirai Variant Murdoc_Botnet Exploits AVTECH IP Cameras and Huawei Routers (source)
- Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-13 | CVE-2021-41653 | Code Injection vulnerability in Tp-Link Tl-Wr840N Firmware The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field. | 9.8 |