The FortiGuard Labs team has found different malware samples that are being massively distributed, with the aim of attacking TP-Link routers affected by an RCE vulnerability that was made public about two weeks ago. The new botnet called MANGA, which is based on the popular Dark-Mirai botnet, specifically targets this type of vulnerable TP-Link devices to keep attacking. The FortiGuard Labs team has come to your attention that they have a continuous update of new vulnerabilities, more than other malware campaigns they have seen thus far.
This new variant of the malware distributes samples based on the published Mirai source code, we must remember that the Mirai botnet performs distributed denial of service (DDoS) attacks on a large scale, and this botnet has been monitored by FortiGuard Labs for a long time.
Why are TP-Link routers the target?
Recently some security researchers discovered serious vulnerabilities in the manufacturer’s TP-Link TL-WR840N EU V5 router, this equipment is one of the best sellers worldwide, so there are surely thousands of routers affected and now cybercriminals are taking advantage. MANGA is responsible for exploiting critical vulnerabilities, in the case of this router, TP-Link has already released the corresponding firmware solving the problem, but the update must be done manually by entering the router and later uploading the new firmware, something that does give cybercriminals enough time to attack these routers and take control of them.
The vulnerability they are exploiting is CVE-2021-41653, and it was discovered barely a month ago, and just two weeks later, on November 22, the first samples of MANGA malware were seen exploiting this security flaw. This security flaw consists of the possibility that authenticated users can execute arbitrary commands to the target device, in this case, the vulnerable devices are forced to download and execute a malicious script the tshit.sh, which then downloads the binary payload .
In the Fortinet official website You can see a complete document where a demonstration of how to exploit the vulnerability in TP-Link routers is carried out. Customers who use Fortinet on their end computers with FortiGuard Antivirus will be protected against this threat, since the intrusion prevention system already detects this type of attack and blocks it automatically.
What can I do if I have this TP-Link router?
If you have this TP-Link router, the first thing you should do is go to the TP-Link TL-WR840N official download websiteOnce here, you select the hardware model of the router you have, and you download the latest firmware available on the web. Once downloaded, you must enter the TP-Link router through its default gateway, once inside, you must go to the section to update the firmware, upload the file that you just downloaded, and wait until the process is complete. You can visit our tutorial to update the firmware of any WiFi router.
Nowadays it is essential to have good support for our router through firmware updates, otherwise, we could have problems with vulnerabilities that will not be solved. The manufacturers that most update their routers in order to provide the best security and new functionalities are the ones that we should always choose, over other characteristics. In addition, we have the possibility of install third-party firmwares on our router, to extend the functionalities.
