Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Mirai-Better operates 0-Day in TP-Link routers
Attackers actively use the vulnerability of the CVE-2023-1389 in Wi-Fi routers TP-Link Archer A21 (AX1800), discovered at the PWN2own hacker competition in December last year. Successfully hacked devices are used in DDOS attacks.
For the first time, this vulnerability was demonstrated in the PWN2WN Toronto 2022 competition, when the two separate teams hacked the device using different approaches to the attack (access was made to Lan and Wan interfaces). TP-Link developers eliminated the problem in March 2023, with the release of firmware 1.1.4 Build 20230219.
As the organizers of the PWN2own from Trend Micro Zero Day Initiative (ZDI) are now reported, and on April 11, 2023, attempts to operate this bug began, first concentrated on devices from Eastern Europe, and then spread around the world.
CVE-2023-1389 (8.8 points on the CVSS scale) is the vulnerability of the introduction of commands without authentication in the location of the API of the TP-Link Archer AX21 router. The source of the problem is the lack of input purification, which allows remote attackers to introduce commands that will eventually be executed on the device.
Hackers can use vulnerability by sending a specially prepared request to the router containing a useful load in the form of the country's parameter, and then a second request that leads to the execution of the command.
ZDI reports that the vulnerability is currently operating the Mirai-bustle, using it to obtain access to devices. After that, the malware loads the useful load suitable for the architecture of the router to enable the device in the botnet. This specific version of Mirai is focused on the organization of DDOS attacks on game servers and, in particular, has the opportunity to launch attacks on Valve Source Engine (VSE).
Another interesting aspect of this version of Mirai is that Malvar can imitate legitimate network traffic, which makes it difficult to distinguish between malicious and ordinary traffic.
Botnet Mirai catches “helicopters”: Apache servers became a hacker tool
And what happened next, we will find out now ...
Aqua specialists report that the new Mirai Botnet campaign is aimed at incorrectly configured and poorly protected Apache Tomcat servers.
For 2 years, Aqua found more than 800 attacks on the bait (Honeypot) of her Tomcat servers, and 96% of the attacks were associated with Mirai botnet. The attacker scanned the Tomcat servers and launched Bubors Atak on them, trying to access the Tomcat web application dispatcher, trying various combinations of accounting data.
Having fixed up in the system, the cybercriminal unfolded a WAR file containing a malicious web shell “CMD.jsp”, which is designed to perform arbitrary commands on the Tomcat server. Here, the shell script is loaded and launched called "Neww", after which the file is deleted. The script contains links for downloading 12 binary files, and each file is suitable for a specific architecture depending on the target system.
A chain of attack
At the last stage of the attack, the Mirai botnet is loaded, which uses infected hosts to organize DDOS attacks. To mitigate the consequences of the campaign, organizations are recommended to ensure reliable protection of the media and observe the cybergigias of accounting data in order to prevent Buborsat.
Recently it became known that Botnet Mirai received a new modification that is aimed at infecting various devices from D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear and MediaTek.
Attackers actively use the vulnerability of the CVE-2023-1389 in Wi-Fi routers TP-Link Archer A21 (AX1800), discovered at the PWN2own hacker competition in December last year. Successfully hacked devices are used in DDOS attacks.
For the first time, this vulnerability was demonstrated in the PWN2WN Toronto 2022 competition, when the two separate teams hacked the device using different approaches to the attack (access was made to Lan and Wan interfaces). TP-Link developers eliminated the problem in March 2023, with the release of firmware 1.1.4 Build 20230219.
As the organizers of the PWN2own from Trend Micro Zero Day Initiative (ZDI) are now reported, and on April 11, 2023, attempts to operate this bug began, first concentrated on devices from Eastern Europe, and then spread around the world.
CVE-2023-1389 (8.8 points on the CVSS scale) is the vulnerability of the introduction of commands without authentication in the location of the API of the TP-Link Archer AX21 router. The source of the problem is the lack of input purification, which allows remote attackers to introduce commands that will eventually be executed on the device.
Hackers can use vulnerability by sending a specially prepared request to the router containing a useful load in the form of the country's parameter, and then a second request that leads to the execution of the command.
ZDI reports that the vulnerability is currently operating the Mirai-bustle, using it to obtain access to devices. After that, the malware loads the useful load suitable for the architecture of the router to enable the device in the botnet. This specific version of Mirai is focused on the organization of DDOS attacks on game servers and, in particular, has the opportunity to launch attacks on Valve Source Engine (VSE).
Another interesting aspect of this version of Mirai is that Malvar can imitate legitimate network traffic, which makes it difficult to distinguish between malicious and ordinary traffic.
Botnet Mirai catches “helicopters”: Apache servers became a hacker tool
And what happened next, we will find out now ...
Aqua specialists report that the new Mirai Botnet campaign is aimed at incorrectly configured and poorly protected Apache Tomcat servers.
For 2 years, Aqua found more than 800 attacks on the bait (Honeypot) of her Tomcat servers, and 96% of the attacks were associated with Mirai botnet. The attacker scanned the Tomcat servers and launched Bubors Atak on them, trying to access the Tomcat web application dispatcher, trying various combinations of accounting data.
Having fixed up in the system, the cybercriminal unfolded a WAR file containing a malicious web shell “CMD.jsp”, which is designed to perform arbitrary commands on the Tomcat server. Here, the shell script is loaded and launched called "Neww", after which the file is deleted. The script contains links for downloading 12 binary files, and each file is suitable for a specific architecture depending on the target system.
A chain of attack
At the last stage of the attack, the Mirai botnet is loaded, which uses infected hosts to organize DDOS attacks. To mitigate the consequences of the campaign, organizations are recommended to ensure reliable protection of the media and observe the cybergigias of accounting data in order to prevent Buborsat.
Recently it became known that Botnet Mirai received a new modification that is aimed at infecting various devices from D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear and MediaTek.
