Depositphotos
У report The Cato CTRL team notes that hackers have launched a new botnet campaign targeting TP-Link routers — more than 6,000 devices are currently infected.
It is noted that the Ballista botnet exploits a remote code execution (RCE) vulnerability in the TP-Link Archer AX-21 model. Initially, the malware is downloaded to the device and runs a script that receives and executes the desired binary file, and then sets the control channel (C2) on port 82, providing hackers with full control of the device.
The program can run remote commands, DDoS attacks, and view configuration files, as well as hide its tracks and presence, and infect other routers. Among the thousands of infected devices, most are concentrated in Brazil, Poland, the United Kingdom, Bulgaria, and Turkey, and the attacks target medical or technology companies in the United States, Australia, China, and Mexico.
Given that the IP address and language used were Italian, researchers attributed the attack to hackers from that country. However, the original IP is no longer functional, having been replaced by a new version that uses TOR domains — this indicates that the malware is under active development.
The researchers recommend immediately installing the recommended patch for TP-Link Archer AX-21 router — available via the official website of the company, along with setup instructions.
Source: tomsguide