Summary:
Multiple botnet operations are taking advantage of a year-old vulnerability, CVE-2023-1389, specifically targeting TP-Link Archer AX21 (AX1800) routers. This vulnerability allows attackers to execute commands without authentication via the locale API accessible through the router's web interface. Discovered in January 2023, security researchers promptly reported this flaw to TP-Link through the Zero-Day Initiative, leading to firmware updates released in March 2023.

Despite the availability of patches, several distinct botnet malware campaigns are actively exploiting unpatched devices. Among these are variants of the notorious Mirai botnet, along with newer botnets like Moobot, Miori, AGoent, Gafgyt Variant, and Condi. Each botnet utilizes unique methods to exploit the vulnerability and compromise routers, often using compromised devices for DDoS attacks and credential brute-forcing.

Security Officer Comments:
Fortinet's recent observations indicate a significant uptick in malicious activities targeting this vulnerability, with daily infection attempts surpassing 40,000 to 50,000 since March 2024. The surge in attacks underscores the ongoing risk posed by unpatched routers.

Suggested Corrections:

IOCs:
https://www.fortinet.com/blog/threa...xploiting-cve-2023-1389-for-wide-scale-spread

Despite TP-Link's efforts to address the vulnerability, many users still have not updated their router firmware, leaving their devices vulnerable to exploitation. TP-Link advises users to promptly update their firmware following provided instructions, change default admin passwords to strong, unique ones, and disable web access to the admin panel if it is not required, as additional measures to safeguard against these ongoing attacks. TP-Link Archer AX21 (AX1800) router users are advised to follow the vendor's firmware upgrading instructions, available here.

Link(s):
https://www.bleepingcomputer.com/ne..ng-one-year-old-tp-link-flaw-to-hack-routers/