Summary:
The TP-Link Archer A21 (AX1800) WiFi router vulnerability, known as CVE-2023-1389, is being exploited by the Mirai malware botnet to add devices to their DDoS attacks. The vulnerability was first exploited by two hacking teams during the Pwn2Own Toronto event in December 2022 using different methods of access to the route's LAN and WAN interfaces. TP- Link was made aware of the flaw in January 2023, and a patch was released last month via a firmware update. Last week, the Zero Day Initiative detected exploitation attempts in the wild, targeting Eastern Europe and spreading globally.

“The CVE-2023-1389 vulnerability is a high-severity (CVSS v3: 8.8) unauthenticated command injection flaw in the locale API of the web management interface of the TP-Link Archer AX21 router. The source of the problem is the lack of input sanitization in the locale API that manages the router's language settings, which does not validate or filter what it receives. This allows remote attackers to inject commands that should be executed on the device. Hackers can exploit the flaw by sending a specially crafted request to the router that contains a command payload as part of the country parameter, followed by a second request that triggers the execution of the command. The first signs of in-the-wild exploitation became evident on April 11, 2023, and the malicious activity is now detected globally” (Bleeping Computer, 2023).

Analyst comments:
According to ZDI, a new version of the Mirai malware botnet is utilizing the TP-Link Archer router vulnerability to gain access to the device and download a binary payload suitable for the router's architecture. The botnet's primary objective is to launch DDoS attacks, with a specific focus on game servers, particularly Valve Source Engine (VSE). What makes this new malware version unique is its ability to replicate authentic network traffic, making it difficult for DDoS mitigation solutions to differentiate between malicious and legitimate traffic and effectively reject the unwanted traffic.

Mitigation:
TP-Link initially attempted to fix the vulnerability on February 24, 2023, but the patch was insufficient, and the flaw could still be exploited. On March 24, 2023, TP-Link released a firmware update that addresses the vulnerability CVE-2023-1389. Owners of the Archer AX21 AX18000 dual band WiFi 6 router can download the latest firmware from this webpage.

https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware

If a TP-Link router is infected, there are several telltale signs, including device overheating, internet disconnections, inexplicable changes on the device's network settings, and resetting of admin user passwords.

There are various methods of defending against DDoS attacks.

Sinkholing:
In this approach, all traffic is diverted to a “sink hole” where it is discarded. The problem with this method is that both good and bad traffic is removed, and the business loses actual customers.

Routers and firewalls:
Routers can be used to stop attacks by filtering nonessential protocols and invalid IP addresses, but when a botnet is using a spoofed IP address, this makes the filtering process worthless. Firewalls also have difficulties when actual IP addresses are spoofed.

Intrusion-detection systems:
These solutions can leverage machine learning to recognize patterns to automatically block traffic through a firewall. These technologies are not always automated and may require fine tuning to avoid false positives.

DDoS mitigation appliances:
Various vendors make devices designed to sanitize traffic through load balancing and firewall blocking. Organizations have had varying levels of success with such products, some legitimate traffic will get blocked, and some bad traffic will still get through.

Over-provisioning:
Some organizations choose to leverage extra bandwidth to handle sudden spikes in traffic during a DDoS attack. This bandwidth is often outsourced to a service provider who can pick up the bandwidth during an attack. As attacks grow larger, this mitigation technique may become more expensive and less viable.

More information on DDoS Attacks by CISA: https://us-cert.cisa.gov/ncas/tips/ST04-015

Source: https://www.bleepingcomputer.com/