Security
Headlines
HeadlinesLatestCVEs

Headline

New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers

By Deeba Ahmed FortiGuard Labs has identified numerous Condi DDoS botnet samples that exploit other known security flaws, putting unpatched software at a higher risk of being exploited by botnet malware. This is a post from HackRead.com Read the original post: New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers

HackRead
#vulnerability#web#ios#linux#ddos#rce#botnet#auth#wifi

Condi is the second DDoS botnet to exploit CVE-2023-1389, with the Mirai botnet targeting it in April 2023.

FortiGuard Labs researchers have discovered new samples of a DDoS-as-a-service botnet called Condi and shared its capabilities in their latest report published on June 20, 2023. Fortinet researchers wrote that since May 2023, their monitoring systems have collected many Condi samples, indicating that botnet operators are trying to expand their reach.

How is Condi Distributed?

According to their research, Condi is distributed by exploiting TP-Link Archer AX21 (AX1800) Wi-Fi 6 routers that are vulnerable to CVE-2023-1389, which was discovered by ZDI. This is the second DDoS botnet to exploit this flaw, with the Mirai botnet having targeted it in April 2023. The AX1800 is a Linux-based dual-band router that features 1.8 GBPS bandwidth.

Unlike other botnets that are distributed via brute-force attacks, Condi features a module for checking vulnerable AX21 routers. If it finds one, it executes a shell script obtained from a remote server to deliver the malware. It specifically searches for routers that are vulnerable to CVE-2023-1389.

Condi Capabilities

Condi is a smart botnet that kills all the processes of its competitor botnets.

/bin/busybox

/bin/systemd

/usr/bin

test

/tmp/condi

/tmp/zxcr9999

/tmp/condinetwork

/var/condibot

/var/zxcr9999

/var/CondiBot

/var/condinet

/bin/watchdog

Furthermore, Condi prevents its older versions from carrying out any activities. However, this implementation is flawed because the Name field only contains the executable names of the processes instead of their full paths.

Additionally, Condi terminates all processes with binary filenames that contain extensions commonly used by other botnets, including:

x86

x86_64

arm

arm5

arm6

arm7

mips

mipsel

sh4

PPC

However, it lacks persistence and cannot survive if the system is rebooted. To address this issue, the malware deletes several binaries used for rebooting or shutting down the device. These binaries include:

/usr/sbin/reboot

/usr/bin/reboot

/usr/sbin/shutdown

/usr/bin/shutdown

/usr/sbin/poweroff

/usr/bin/poweroff

/usr/sbin/halt

/usr/bin/halt

Condi has demonstrated aggressive monetization techniques and is capable of trapping devices to create a powerful DDoS botnet, which cybercriminals can rent to launch TCP and UDP flood attacks on websites.

Vulnerability Details

For your information, CVE-2023-1389 (CVSS score of 8.8) is a high-severity unauthenticated command injection and remote code execution vulnerability that was discovered in the router’s web management interface API in mid-March of last year. ZDI reported this flaw to the vendor in January 2023, after which TP-Link released a security update in March 2023, in version 1.1.4 Build 20230219.

Who is Operating Condi?

According to security researchers Joie Salvio and Roy Tay from FortiGuard Labs, this botnet is operated by a threat actor who goes by the alias zxcr9999 on Telegram. The actor has a Telegram channel called Condi Network, which was started in May 2022 primarily to promote their service and even sell malware source code.

On the left, the threat actor is listing the features of the Condi botnet. On the right is the Condi DDoS botnet’s store. (Screenshots provided by FortiGuard Labs.)

“The threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code,” researchers wrote in a blog post.

Researchers identified numerous Condi samples that exploit other known security flaws, putting unpatched software at a higher risk of exploitation by botnet malware. Therefore, updating your software after a patch is released is essential.

  1. Verizon FiOS Router and Security Issues
  2. How To Keep Your Router And WiFi Safe From Hackers
  3. Mirai botnet resurfaces with MooBot, hits D-Link devices
  4. NETGEAR Router Flaw Allowed Access to Restricted Services
  5. Hackers exploit routers to drop malicious “WHO” COVID-19 app

Related news

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a

Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks

Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.

TP-Link Archer AX21 Command Injection

TP-Link Archer AX21 suffers from an unauthenticated remote command injection vulnerability.

New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks

A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel

Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited”

Categories: Exploits and vulnerabilities Categories: News Tags: Oracle Tags: WebLogic Tags: CVE-2023-21839 Tags: CVE-2023-1389 Tags: CVE-2021-45046 Tags: CISA Tags: reverse shell An easy to exploit vulnerability in Oracle WebLogic Server has been added to the CISA list of things you really, really need to patch. (Read more...) The post Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited” appeared first on Malwarebytes Labs.

Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The security vulnerabilities are as follows - CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted

Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware

Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil

CVE-2023-1389: Unauthenticated Command Injection in TP-Link Archer AX21 (AX1800)

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

HackRead: Latest News

Andrew Tate’s University Breach: 1 Million User Records and Chats Leaked