Condi Botnet: Capitalizing on TP-Link Router Weaknesses
In March, security researchers identified a vulnerability (tracked as CVE-2023-1389) in the firmware of TP-LINK’s AX21/AX1800 routers, allowing attackers to inject via the ‘Country’ field within the Web management interface, consequently resulting in router infections.
On April 27, TP-LINK released a security bulletin announcing this vulnerability and simultaneously issued updated firmware to rectify it. However, botnets had already capitalized on this flaw. Variants based on the Mirai worm exploited AX21/AX1800 to convert routers into botnets.
A security report published by firewall manufacturer Fortinet revealed that the Condi botnet had infected a significant number of AX21/AX1800 routers, offering DDoS services for purchase or rental.
Hence, cybercriminals could purchase control over these router botnets already commandeered by Condi, or directly pay Condi to launch DDoS attacks against a specific website or service, incapacitating targets or competitors.
It is commonplace for routers to be converted into botnets via Mirai infections. The predominant cause is the failure of a vast number of users to update their router firmware promptly, thus operating vulnerable firmware and exposure on the public network, making them an easy target for automatic infections by the Mirai worm.
Fortinet’s report also highlighted an aspect: Mirai-infected router botnets would scan for TCP port 5555 within internal networks, a port utilized by the Android Debug Bridge, also known as the ADB.
Enabling USB debugging does not by default open port 5555; however, enabling ADB necessitates the activation of Android developer options. Additionally, enabling USB debugging carries its risks, and it is advised to disable it unless necessary.
Firstly, it is paramount to routinely check for router firmware updates. Routers represent the critical entrance for home networks, and a successful breach implies potential surveillance of all network activities. Attackers can also hijack and redirect visits to phishing websites.
Secondly, concerning Android developer options and USB debugging functions, they should be enabled only when required, and must always be disabled when not in use to prevent inadvertent infections.