Dec 9, 2021
0 0

Dark Mirai botnet targeting RCE on popular TP-Link router

Written by

SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs
Windows ‘InstallerFileTakeOver’ zero-day bug gets free micropatch
Fujitsu pins Japanese govt data breach on stolen ProjectWEB accounts
Cox discloses data breach after hacker impersonates support agent
Malicious Notepad++ installers push StrongPity malware
Dark Mirai botnet targeting RCE on popular TP-Link router
Microsoft, Google OAuth flaws can be abused in phishing attacks
Microsoft previews new endpoint security solution for SMBs
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
The botnet known as Dark Mirai (aka MANGA) has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017.
The flaw is tracked as CVE-2021-41653 and is caused by a vulnerable ‘host’ variable that an authenticated user can abuse to execute commands on the device.
TP-Link fixed the flaw by releasing a firmware update (TL-WR840N(EU)_V5_211109) on November 12, 2021. However, many users have not applied the security update yet.
The researcher who discovered the vulnerability published a proof of concept (PoC) exploit for the RCE, leading to threat actors using the vulnerability.
According to a report by researchers at Fortinet, who have been following Dark Mirai activity, the botnet added the particular RCE in its arsenal only two weeks after TP-Link released the firmware update.
In the case of Dark Mirai, the actors exploit CVE-2021-41653 to force the devices to download and execute a malicious script, “,” which in turn downloads the main binary payloads via two requests.
The actors still need to authenticate for this exploit to work, but if the user has left the device with default credentials, it becomes trivial to exploit the vulnerability.
Similar to standard Mirai, MANGA detects the infected machine’s architecture and fetches the matching payload.
Then, it blocks connections to commonly targeted ports to prevent other botnets from taking over the captured device.
Finally, the malware waits for a command from the C&C (command and control) server to perform some form of a DoS (denial of service) attack.
Mirai may be gone, but its code has spawned numerous new botnets that cause large-scale problems to unsecured devices.
Only yesterday, we reported on the emergence of ‘Moobot’ by exploiting a command injection flaw in Hikvision products.
In August 2021, another Mirai-based botnet targeted a critical vulnerability in the software SDK used by a large number of Realtek-based devices.
To secure your router against old and new variants of Mirai or any other botnet, do the following:
Moobot botnet spreading via Hikvision camera vulnerability
Nine WiFi routers used by millions were vulnerable to 226 flaws
SanDisk SecureAccess bug allows brute forcing vault passwords
Hundreds of thousands of MikroTik devices still vulnerable to botnets
Windows ‘InstallerFileTakeOver’ zero-day bug gets free micropatch
Not a member yet? Register Now
Grafana fixes zero-day vulnerability after exploits spread over Twitter
Google disrupts massive Glupteba botnet, sues Russian operators
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.