Cato Networks, a company specializing in cybersecurity and networking services, reports that it has discovered a new botnet. Dubbed Ballista, the virus specifically targets a router model from TP-Link, namely the Archer AX21.
To take control of the routers, the botnet exploits a security flaw. This is a command injection vulnerability. In short, an attacker can use the breach to execute commands on the router, as if they were an administrator. To exploit the vulnerability offensively, the hacker must first gain access to the router's administrative interface.
6000 vulnerable routers
TP-Link released a security update in early April 2023, shortly after the flaw was publicly disclosed. Unfortunately, not all users bothered to install the update, leaving the door open to cyberattacks. The attack "highlights the persistence of security flaws in routers, often due to the lack of regular firmware updates and the lack of security rigor among some manufacturers," Cato Networks explains in the press release sent to 01Net.
More than 6,000 vulnerable routers have potentially been compromised by Ballista. The campaign targets "organizations in the healthcare, manufacturing, service, and technology sectors in the United States, Australia, China, and Mexico.".
The virus continues to evolve and can now use the Tor network to hide its communications and evade detection. By using Tor (The Onion Router), the malware makes it harder to know where the commands it receives come from or where it sends the stolen data. In short, it puts obstacles in the way of authorities and investigators.
Italian Hackers and DDoS Attacks
According to Cato Networks, it is likely that the cybercriminals behind the attack are based in Italy. Researchers have discovered several clues in Italian in the malware code. This is why the researchers named the botnet Ballista. This name refers to ancient Rome. It is in fact a crossbow-type weapon that was used by the Romans to besiege their enemies.
Once a router is under its control, Ballista will use it to carry out DDoS attacks. By exploiting the devices it controls, the botnet can temporarily crash websites. DDoS attacks are part of the arsenal of many types of gangs, including hacktivists. Most botnets are also exploited as part of DDoS attacks. This is also the case for Eleven11bot, which was found within 86,000 connected objects around the world.
Source: Cato Networks
0 Comments