Headline
New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers
By Deeba Ahmed FortiGuard Labs has identified numerous Condi DDoS botnet samples that exploit other known security flaws, putting unpatched software at a higher risk of being exploited by botnet malware. This is a post from HackRead.com Read the original post: New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers
Condi is the second DDoS botnet to exploit CVE-2023-1389, with the Mirai botnet targeting it in April 2023.
FortiGuard Labs researchers have discovered new samples of a DDoS-as-a-service botnet called Condi and shared its capabilities in their latest report published on June 20, 2023. Fortinet researchers wrote that since May 2023, their monitoring systems have collected many Condi samples, indicating that botnet operators are trying to expand their reach.
How is Condi Distributed?
According to their research, Condi is distributed by exploiting TP-Link Archer AX21 (AX1800) Wi-Fi 6 routers that are vulnerable to CVE-2023-1389, which was discovered by ZDI. This is the second DDoS botnet to exploit this flaw, with the Mirai botnet having targeted it in April 2023. The AX1800 is a Linux-based dual-band router that features 1.8 GBPS bandwidth.
Unlike other botnets that are distributed via brute-force attacks, Condi features a module for checking vulnerable AX21 routers. If it finds one, it executes a shell script obtained from a remote server to deliver the malware. It specifically searches for routers that are vulnerable to CVE-2023-1389.
Condi Capabilities
Condi is a smart botnet that kills all the processes of its competitor botnets.
/bin/busybox
/bin/systemd
/usr/bin
test
/tmp/condi
/tmp/zxcr9999
/tmp/condinetwork
/var/condibot
/var/zxcr9999
/var/CondiBot
/var/condinet
/bin/watchdog
Furthermore, Condi prevents its older versions from carrying out any activities. However, this implementation is flawed because the Name field only contains the executable names of the processes instead of their full paths.
Additionally, Condi terminates all processes with binary filenames that contain extensions commonly used by other botnets, including:
x86
x86_64
arm
arm5
arm6
arm7
mips
mipsel
sh4
PPC
However, it lacks persistence and cannot survive if the system is rebooted. To address this issue, the malware deletes several binaries used for rebooting or shutting down the device. These binaries include:
/usr/sbin/reboot
/usr/bin/reboot
/usr/sbin/shutdown
/usr/bin/shutdown
/usr/sbin/poweroff
/usr/bin/poweroff
/usr/sbin/halt
/usr/bin/halt
Condi has demonstrated aggressive monetization techniques and is capable of trapping devices to create a powerful DDoS botnet, which cybercriminals can rent to launch TCP and UDP flood attacks on websites.
Vulnerability Details
For your information, CVE-2023-1389 (CVSS score of 8.8) is a high-severity unauthenticated command injection and remote code execution vulnerability that was discovered in the router’s web management interface API in mid-March of last year. ZDI reported this flaw to the vendor in January 2023, after which TP-Link released a security update in March 2023, in version 1.1.4 Build 20230219.
Who is Operating Condi?
According to security researchers Joie Salvio and Roy Tay from FortiGuard Labs, this botnet is operated by a threat actor who goes by the alias zxcr9999 on Telegram. The actor has a Telegram channel called Condi Network, which was started in May 2022 primarily to promote their service and even sell malware source code.
On the left, the threat actor is listing the features of the Condi botnet. On the right is the Condi DDoS botnet’s store. (Screenshots provided by FortiGuard Labs.)
“The threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code,” researchers wrote in a blog post.
Researchers identified numerous Condi samples that exploit other known security flaws, putting unpatched software at a higher risk of exploitation by botnet malware. Therefore, updating your software after a patch is released is essential.
- Verizon FiOS Router and Security Issues
- How To Keep Your Router And WiFi Safe From Hackers
- Mirai botnet resurfaces with MooBot, hits D-Link devices
- NETGEAR Router Flaw Allowed Access to Restricted Services
- Hackers exploit routers to drop malicious “WHO” COVID-19 app
Related news
While a number of threat groups have used TP-Link bugs to infiltrate networks, a proposed ban of the company's popular routers is more about geopolitics than actual cybersecurity — and that may not be a bad thing.
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of…
Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.
TP-Link Archer AX21 suffers from an unauthenticated remote command injection vulnerability.
A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel
Categories: Exploits and vulnerabilities Categories: News Tags: Oracle Tags: WebLogic Tags: CVE-2023-21839 Tags: CVE-2023-1389 Tags: CVE-2021-45046 Tags: CISA Tags: reverse shell An easy to exploit vulnerability in Oracle WebLogic Server has been added to the CISA list of things you really, really need to patch. (Read more...) The post Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited” appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The security vulnerabilities are as follows - CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.