A recent cyberattack has compromised thousands of TP-Link routers, turning them into a botnet which spreads malware and launches cyberattacks worldwide.
Cybersecurity researchers have discovered a widespread attack where threat actors exploited a vulnerability (CVE-2023-1389) in TP-Link Archer AX-21 routers. This security flaw allows attackers to take control of unpatched routers remotely, recruiting them – alongside thousands of others – into part of a botnet. What’s a botnet? Well, luckily Ophtek is here to explain: a botnet is a network of infected devices used for malicious activities on a huge scale.
At least 6,000 routers have been affected, with compromised devices being found all across the world in Brazil, Poland, the UK, Bulgaria, and Turkey. Once one of the TP-Link routers are infected, they can spread malware to other devices on the same network or be used as part of a coordinated botnet attack.
How Were the TP-Link Routers Exploited?
The threat-actors behind the attack started by simply scanning the internet for any vulnerable TP-Link routers that had not been updated with the latest security patches. Each time a router was found with the vulnerability in place, the attackers were able to exploit a remote code execution flaw – which allowed the hackers to install malware on the router.
Once infected, these routers became part of the Ballista botnet, which the threat actors were able to control remotely. As more and more routers, and devices connected to them, were recruited, Ballista became even more powerful. This enabled it to spread malware to further PCs and devices, launch DDoS attacks to flood websites and disrupt online services, and steal sensitive data passing through the router.
Why Should PC Users be Concerned?
All modern PCs rely on routers to connect to the internet and internal IT infrastructures, but many people take them for granted and don’t consider them a security risk. Accordingly, many PC users have been caught out by not updating their router’s firmware or keeping their device’s default password, both of which make them easy targets for hackers. As TP-Link router users have discovered, an infected router can quickly become a major security risk, sending data to hackers without the user being aware.
Keeping Your Router Safe from Vulnerabilities
It’s highly likely that you own a router or regularly use a computer connected to one. Regardless of the make and model, all routers have the potential to be compromised by threat actors. Here’s how you can stay safe:
- Update Your Firmware Regularly: Router manufacturers regularly release security updates to fix vulnerabilities in their products, so it’s crucial that you install these as soon as possible. The best way to ensure you’re running the most up to date firmware is to log into your router settings and check for any available updates once a month.
- Change Default Credentials: Many routers come straight out of the box with default usernames and passwords – hackers can easily guess these as huge lists of default credentials are readily available online. This is why you need to change your router’s admin login details to a strong, unique password.
- Disable Remote Management: If your router has the option of allowing remote access over the internet, you should disable this feature unless there’s a real need for you to access it from a remote location – this type of access should only be reserved for your IT team.
For more ways to secure and optimize your business technology, contact your local IT professionals.
