The Zero Day Initiative (ZDI) recently reported that the Mirai botnet has been exploiting a vulnerability in TP-Link Archer AX21 Wi-Fi routers, known as CVE-2023-1389. The flaw is an unauthenticated command injection vulnerability in the router’s locale API, caused by the lack of input sanitization in the locale API.
In March, TP-Link released a firmware update to address the issue, but threat actors started exploiting the flaw after the public release of the fix, initially targeting Eastern Europe. The Mirai botnet behind the attacks is focused on launching DDoS attacks and has the ability to target Valve Source Engine (VSE).
The attackers exploit the vulnerability by sending a specially crafted request containing a command payload as part of the country parameter. The attackers then send a second request that triggers the execution of the command. ZDI has provided Indicators of compromise (IoCs) for this campaign.
This botnet version also supports a feature to mimic legitimate traffic, making it harder to separate malicious DDoS traffic from legitimate network traffic. Among the interesting functions is a TSource Engine Query attack functionality, which can be used to launch a Valve Source Engine (VSE) DDoS attack against game servers.
This type of attack can have significant consequences for online gaming platforms, as it can cause service disruptions and impact the user experience.
Organizations that use TP-Link Archer AX21 routers are advised to update their firmware immediately to address the vulnerability and monitor their network for any suspicious activity.
It is essential to stay vigilant and take all necessary precautions to prevent cyber-attacks and protect sensitive information.
