The botnet known as Dark Mirai (aka MANGA) has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017.
The flaw is tracked as CVE-2021-41653 and is caused by a vulnerable ‘host’ variable that an authenticated user can abuse to execute commands on the device.
TP-Link fixed the flaw by releasing a firmware update (TL-WR840N(EU)_V5_211109) on November 12, 2021. However, many users have not applied the security update yet.
The researcher who discovered the vulnerability published a proof of concept (PoC) exploit for the RCE, leading to threat actors using the vulnerability.
According to a report by researchers at Fortinet, who have been following Dark Mirai activity, the botnet added the particular RCE in its arsenal only two weeks after TP-Link released the firmware update.
Exploitation process
In the case of Dark Mirai, the actors exploit CVE-2021-41653 to force the devices to download and execute a malicious script, “tshit.sh,” which in turn downloads the main binary payloads via two requests.
The actors still need to authenticate for this exploit to work, but if the user has left the device with default credentials, it becomes trivial to exploit the vulnerability.
Similar to standard Mirai, MANGA detects the infected machine’s architecture and fetches the matching payload.
Then, it blocks connections to commonly targeted ports to prevent other botnets from taking over the captured device.
Finally, the malware waits for a command from the C&C (command and control) server to perform some form of a DoS (denial of service) attack.
Mirai code still plaguing IoTs
Mirai may be gone, but its code has spawned numerous new botnets that cause large-scale problems to unsecured devices.
Only yesterday, we reported on the emergence of ‘Moobot’ by exploiting a command injection flaw in Hikvision products.
In August 2021, another Mirai-based botnet targeted a critical vulnerability in the software SDK used by a large number of Realtek-based devices.
To secure your router against old and new variants of Mirai or any other botnet, do the following:
Apply the available firmware and security updates as soon as possible
Change the default administrator credentials with a strong password of 20 or more characters
Check your DNS settings regularly
Activate firewalls that are oftentimes disabled by default on home routers
Change your subnet address and enforce SSL on the management page
Disable all remote management features.
Disable UPnP and WPS if you’re not using them
If your router is outdated and no longer supported by the vendor, replace it with a new one