TP-Link Router Botnet

There is a new botnet that is infecting TP-Link routers:

The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked as CVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in the Mirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks.

[…]

Of the thousands of infected devices, the majority of them are concentrated in Brazil, Poland, the United Kingdom, Bulgaria and Turkey; with the botnet targeting manufacturing, medical/healthcare, services and technology organizations in the United States, Australia, China and Mexico.

Details.

Posted on March 14, 2025 at 7:02 AM21 Comments

Comments

Saying Hello to My CALEA/COWT March 14, 2025 7:58 AM

Can’t think of its Title but I’ve watched a YouTube video a couple of days ago, of a hearing (congressional? perhaps) where a few folks from the US National Security CyberSec realm, discussed exactly this, and the guy even held up one of those TP-Link routers, a small sized one for home use, and showed it to everyone recommending they not use that particular brand. Same guy also recommended people use Signal App for messaging. Wish I could remember the title of the video. The hearing lasted at least a couple of hours. Most of the content was about the seriousness of the National Security threat that China poses with their data harvesting ops and about the effects of the two most known/talked about Typhoons. If someone has a link, please post it here for everyone to see.

Passerby March 14, 2025 8:16 AM

@Saying HELLO to My CALEA/COWT

Probably Rob Joyce, former director of cybersecurity at the National Security Agency

Clive Robinson March 14, 2025 10:59 AM

@ Bruce, ALL,

As noted in the article,

“Regularly patching your router and making sure the firmware is up-to-date will keep your device as secure as possible which is important as routers are often one of the most frequently hacked technologies in the home.

The other most frequently hacked technology is “CCTV cameras”.

The reason these are targeted is three fold,

1, They have a high bandwidth.
2, They are “always on”.
3, They are in effect infrastructure not user devices.

So these devices are almost ideal for anyone who can get “past the front door”.

But there is another issue,

4, Untill recently the devices had no patches or updates.

That is they were designed, built, manufactured, and sold “warts and all”. Importantly with no patching or security updates considered as part of the design as “on going support” was not a consideration.

There are multiple issues with,

“On-line patching and updating.”

Not least is that increases both complexity and vulnerability, as well as decreasing software quality.

But it also creates a quite vulnerable “supply chain” even when done to “best practice” standards.

The simple fact is the industry management has created these sorts of vulnerabilities,

“As standard practice ”

And actually do not want to fix them unless forced to do so.

Worse they mostly don’t take sufficient care any more due to the “we can patch it tomorrow” mentality, that actually encourages products to be shipped with known vulnerabilities in them.

Whilst their are a limited number of mitigations they mostly have down sides.

Such as the mitigation strategy of “segregation”, which would keep the devices “safely isolated” is quite deliberately prevented for profit reasons (something pushed by Amazon if not deliberately encouraged by them.) And in many cases the devices will not function at all let alone in reduced capacity if “securely segregated”.

I suspect not even draconian legislation will fix these issues, suggesting we has a problem that is not easily going to be resolved even in part…

Bob March 14, 2025 11:10 AM

TP-Link Archer AX-21 Command Injection Vulnerability 05/01/2023 05/22/2023 Apply updates per vendor instructions

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form.

https://www.tp-link.com/us/support/download/archer-ax21/v3.6/#Firmware

We’re talking about a vuln for which a patch was released years ago. I’d be willing to bet, though, that most people don’t even realize their router needs to be patched.

@Clive

Not sure what you’re talking about when you say “That is they were designed, built, manufactured, and sold “warts and all”. Importantly with no patching or security updates considered as part of the design as “on going support” was not a consideration.” Every piece of network equipment I’ve worked with over the past decade or two, and TP-Link is no exception. As I mentioned above, it appears a patch for this vuln was released years ago.

Bob March 14, 2025 11:14 AM

Should be “Every piece of network equipment I’ve worked with over the past decade or two has allowed for some sort of patching, and TP-Link is no exception.”

lurker March 14, 2025 1:43 PM

@Bob, Clive

Sure, many vendors, including TP-Link, make and publish timely patches. But how many users of these devices, who bought them at Amazon, or corner stores, know that patches exist? never mind knowing how to download or apply them? Even for those that know or care, downloading and applying a patched firware is an unusual, complex task, with the risk of locking themselves out of the device. And for SOHO it is “non-productive” time.

These cheap ‘n nasty routers should be behind a separate firewall, not trusting any so-called firewall built into the router rules. But then we will end up with cheap ‘n nasty firewalls …

Bob March 14, 2025 2:25 PM

@lurker

I’d be willing to bet, though, that most people don’t even realize their router needs to be patched.

I said that in the same post.

Most consumers wouldn’t be able to access the internet at all if they were stuck trying to configure a real firewall. No comment on whether that might be for the better.

Some guy March 14, 2025 5:35 PM

I actually have one of these very devices. It says:

Firmware Version: 1.3.6 Build 20230830 rel.23076(5553)

So its latest firmware was released a year and a half ago. Mine was probably updated close to that date, it has auto-update built in!

Are that many people deliberately turning off auto-update and purposefully keeping their routers on an old outdated version for 2 or 3 years? What in the world.

Now I agree that auto-update can introduce a different kind of vulnerability, but it’s a less worse option than the general alternative of never updating. Most people don’t know how to log into their router, let alone update it regularly manually. It needs auto update. It has auto update:

Auto Update
Update firmware automatically when new version is available.

Auto Update: on
Current Time: 2025-03-14 2:18:43 PM
Update Time: 3:00AM to 5:00AM

I can’t remember for certain if this particular model has auto update on by default (it should!), but a quick AI “search” seems to think it does…

Nobody should still be on that old of a vulnerable firmware.

The bigger issue with these kinds of devices in general, in my humble opinion, is that all these companies stop producing new firmware after the device is a couple years old or so. No matter what vulnerabilities are discovered after that point, your only recourse is to throw it in the trash and buy a brand new one every couple years. It’s ridiculous. But they work fine for decades, and serve people’s needs well, so most people keep them many many years longer than the manufacturer supports it with updates, even with auto updates enabled.

Look at mine, it hasn’t had an update in a year and a half, and it probably will never get another one, for the rest of time. I’ll probably need to throw it in the trash soon if I want to keep it from getting hacked, even though it supports almost the latest technology and everything (wifi 6, WPA3, mesh, and on and on), and it wasn’t cheap.

Bob March 15, 2025 6:09 PM

@Some Guy

Is aftermarket firmware an option? I kept a router running on (I believe) updated DD-WRT well past its prime back in the day.

ResearcherZero March 15, 2025 11:40 PM

@Some Guy

Yes. People do turn off auto upgrade. They also downgrade firmware because they claim the latency for their gaming rig increased by 0.5 ms after they upgraded their router firmware.

Then they install a bunch of shonky aimbots and hackz so they can be a 733t gamer dude with bonus infostealers, backdoors and vulnerabilities for anyone who wants remote access.

Then there is the local transport company or other local businesses. Don’t look in their warehouse at their networks. Everyone is sharing the same password for the account that local government uses at each of it’s different services and departments. Those local government services are all sharing the same WIFI network with a very simple password.
As for the hardware itself, I don’t want to think about the hardware maintenance. 😐

@lurker

The funny thing is that some of those routers require a manual firmware upgrade to get firmware with an auto upgrade function and the option is not always enabled by default.

ResearcherZero March 16, 2025 12:52 AM

Your ISP might supply you with a TP-Link router. TP-Link has signed a deal with ISPs to supply rebranded routers to customers. The patch cycle for ISP router/modems, due to 3rd party hardware/firmware, often has short life cycles and relatively poor support.

‘https://www.malwarebytes.com/blog/news/2024/12/tp-link-faces-us-national-security-probe-potential-ban-on-devices

ResearcherZero March 16, 2025 1:03 AM

@Clive Robinson

do not want to fix them unless forced to do so

The supply chain issue is a real problem with the rebranded models and 3rd party input.

Many of these devices do not get patched unless a specific model is subjected to analysis by security researchers and any findings get picked up and further published. This requires researchers to get their hands on every model and that those models are not already EoL.

Some of the 3rd party suppliers have already been absorbed by another company by then and the original support and development teams for particular hardware models no longer exist.

Clive Robinson March 16, 2025 7:25 AM

@ Someguy,

With regards,

“Now I agree that auto-update can introduce a different kind of vulnerability, but it’s a less worse option than the general alternative of never updating. Most people don’t know how to log into their router, let alone update it regularly manually.”

To address those two points in reverse.

Firstly by far the majority of people do not own “their router”. Nor is “their router” configured in a way that would easily allow them to address your first point. Worse often “their router” is configured in a way that makes it way more vulnerable than it could be. And if they were to change the configuration of “their router” they get into a whole world of trouble.

The reason for this is “their router” is put in by the “Service Provider” and they set it up for “minimum cost” to themselves.

@ Bob, ALL,

“Is aftermarket firmware an option? I kept a router running on (I believe) updated DD-WRT well past its prime back in the day.”

The “Open Source” upgrades were going great untill the FCC got on it’s “high horse” and made hardware manufacturers “lock down firmware” so users could not upgrade to “Open Source”…

Like many things in the ICT/Sec industry this sort of thing gets “lost from memory” so fast you would think the whole industry had terminal dementia.

The reason…

Nearly all routers have “WiFi” or similar and have done since RC4 was the “Industry Expert Organisation” designated encryption to give “Wired Equivalent Privacy” (another thing that has been “lost from memory”)…

Thus all routers very quickly used “standard chip sets”, which was a little problematic for “inventory” reasons. Because “The World” is split up into different “radio frequency allocation” regions by the UN “International Telecommunications Union”(ITU). This ment that the “Industrial Scientific and Medical”(ISM) frequency bands were different in different ITU regions. The major users of Wifi were the US and EU at the time and they had quite different ISM frequency allocations that lacked a lot of “commonality”. Oh and the rapidly rising “Asian Market” was on it’s way to surpassing both the US and EU and guess what? Yup yet another ITU Region…

What happened was a typical multi-step Supply Chain boondoggle that always happens with “trade embargo” tactics are employed by politicians to “protect home markets”… Everyone along it turns it into a “hot potato” game and passes the problem along the supply chain as “Somebody Elses Problem” aptly named by Douglas Addams –who would have been 73 a couple of days ago had he lived– along with “Bistro Mathematics” and a couple of other terms that describe “political stupidity”.

So what happened was “textbook” of what has been happening since the end of WWII, and making everyone’s life difficult, and way beyond reasonable.

So the chip makers to cut their manufacturing and inventory costs significantly made chip sets that covered all ITU Regions. Thus passed the problem down to the end user market manufacturers… Who to cut their licencing and inventory costs significantly, put “in the firmware” only the “subset” of common frequencies for users to be able to select.

This created an “artificial resource limitation” on the users as you would expect… Thus WiFi was failing to significant usage congestion and instead of 300m range uncontested you’ld be lucky to get even 10m in many homes, offices etc.

Now “Open Source” removed that “artificial resource limitation” from more capable “users”. So they went for it like “rabid piranhas”. Many of whom put their WiFi systems “Out of Band” for the region they were in…

The FCC to keep their costs down, basically wanted the problem to just “go away” so went with the SEP option. So threatened the end user market manufacturers with “action” like “licence forfeiture”, “customs embargoes”, “significant fines” and other “unspecified actions”…

The problem was they could not push any of this onto “Open Source” because “Open Source” is covered by “The First Amendment”…

Thus although the FCC did not say so directly they indicated a “full lockdown” on “Firmware” was an acceptable compliance route…

As that was the least expensive route for manufacturers guess what they did…

So ever since untill fairly recently most router manufactures went down the “make it bot an option for users” path and ISP’s as it cuts their costs and risks have gone along with it…

What has changed is “Chinese Manufacturers” who basically don’t give a “Flying F4ck” about the FCC or any other “Regulatory Body” or the significant costs of it. Many of them have just gone down the “fake certificate” route or found a regulatory loop hole.

Because of the way they “play the supply chain” there is next to nothing the Regulatory Agencies can do… With politicians doubling down on stupidity at every turn this is not a problem that is going to go away, in fact it’s just going to get worse, a whole lot worse…

Oh guess what it’s one of the reasons “right to tinker” legislation and repeal of legislation like the DMCA is not going to happen any time soon if ever in our life times.

But the end result of this political nonsense is you can buy powerful radio equipment –that can be harmful for your health– for less than a fast food take out burger meal…

ResearcherZero March 18, 2025 3:05 AM

@Clive Robinson

Australia has the very same problems. There are plans to improve the cables by 2030.

‘https://www.techradar.com/computing/wi-fi-broadband/goodbye-copper-nbn-co-to-upgrade-final-fixed-line-homes-to-full-fat-fibre

ResearcherZero March 18, 2025 3:33 AM

These botnets are often used for gaining access for ‘fourth party collection’.

Complicating security challenges, politicians engage in information gerrymandering to hijack public discourse, avoid accountability for breaches and ignoring security warnings.

‘https://www.wired.com/story/a-new-era-of-attacks-on-encryption-is-starting-to-heat-up/

One of the primary objectives of nation-state actors is to steal sensitive data.
https://www.trellix.com/blogs/research/blurring-the-lines-how-nation-states-and-cybercriminals-are-becoming-alike/

Searching for the Keys to the Kingdoms
https://www.darkreading.com/vulnerabilities-threats/how-nation-state-cybercriminals-target-enterprise

Easy pickings — state and local governments.
https://www.sentinelone.com/blog/why-the-public-sector-under-attack-understanding-the-cyber-risks-of-state-local-governments/

Clive Robinson March 18, 2025 6:05 AM

@ ResearcherZero, ALL,

Fallacy of “dig in” “the last mile”.

With regards,

“Australia has the very same problems. There are plans to improve the cables by 2030.”

Putting cables in no matter what their bandwidth is extraordinarily expensive and the costs are very rarely recovered.

It’s one of the “unstated” reasons behind the fight by the US to get rid of 5G and gain control of 6G.

Put simply you can not even put “backbone” backhaul cables in the ground fast enough to keep up with increasing demand. Likewise there is a limit to sticking it up on “utility poles” or even just dropping it on the ground next to roads or railway tracks…

But always you have the multiplexing problem where you have to have splitting into channels to geographically disperse to customers/consumers, which is part of the “last mile” issue.

For reasons that are difficult to get your head around without a lot of maths it’s actually least expensive for the telco’s to put in high end technology and use EM Radiation of limited range.

That is they use multiplexing, beam-forming and various other wave-forming techniques that fall under “Multiple Input Multiple Output”(MIMO) to try to get “maximum capacity out of thin air”.

Thus it’s seen that by winning 5G the Chinese had the telco advantage. Something US Politicians could not tolerate so “went to war” by basically lying. The hope being that 5G gets killed early and the US steps in using FUD to force dominance in 6G.

The problem is the US are so far behind in so many ways that 6G will not be of real use if the US politicians plans come to fruition.

But… Of course there is always one in any group that does not get it… And if they get to be in charge we all go to hell in something a lot smaller than a handbag.

lurker March 21, 2025 5:13 AM

@schwit

thanks for the House Committee video link. Good advice on the need for manual backup systems, but we still get basic design flaws like the biggest airport in the UK, and a major European hub, seems to depend on a single point of electric supply …

Clive Robinson March 21, 2025 10:29 AM

@ lurker, ALL,

With regards “single point of failure” and “base security”…

“[B]ut we still get basic design flaws like the biggest airport in the UK, and a major European hub, seems to depend on a single point of electric supply”

Apparently Heathrow airport is the fifth largest by traffic in the world, so the effects are going to be world wide as they cascade out, with a minimum of 1300 flights cancelled already (and probably more to follow). Which as it’s a “Gateway” not a “hub” airport it takes a lot of pressure off of International travel to most western and central European airports… So the “knock-on effects” will be not just felt in London or the UK south east but cascade out to places like Berlin and Rome and beyond as a radius.

But as a “Base utility Security issue” it’s actually way worse than “a single point” of failure as it’s already turned into a “cascade failure” across quite a chunk of West London in Hays and Harlington and news indicates over 80,000 “customers” many business and industrial were or still are “significantly adversely effected” (ie black out rather than brown). So as I’ve found out it’s a “Snow Day” equivalent for many thousands of people.

But that causes “supply problems” that can “latch up”. All utilities are dependent on electricity, and this includes “communications”. But consider the electricity grid is 100% dependent on high speed communications for normal operations. If one goes out, the other goes out then or shortly there after, and to bring either back up requires the other. So when they are both down they can not be brought up except by a “man in a van” going around slowely switching the essential supplies from auto to manual and bring them up by hand.
Which is actually a very risky thing to do. But for various reasons of “Shareholder value” and “Director Bonuses” there are next to no personnel qualified or experienced enough to do it. Something I mention from time to time here as it’s a very significant “supply chain” failing that critically effects security in more ways than even “industry experts” realise.

Years ago I used to pass the “substation” concerned on my way to Hays and Harlington railway station when I did some contract work over in one of the many engineering companies to the NE of the airport. Let’s just say it’s not small and it looked like much of it was built in or before WWII… Thus depending on what has been fried power supply could be effected for a minimum of two years (big transformers tend to be entirely custom made on demand with 18+month delivery times).

But that is shall we say “a surface issue” an underlying problem with making a utility infrastructure “network or grid” is that they are usually misnamed as they are virtually never “cross linked” to form a grid or net. Which has real security of supply and consequent issues. Mostly they are actually a star configuration because it removes so many issues a cross linked grid or net would form. However you get the “upstream fault problem” in that everything down stream of any fault is always effected.

It just so happens that, that part of West London is one of the most densely packed that far out from “Charing Cross”… So putting in a “second supply” through there would be impractical at best to near impossible.

Further coming in to the airport from the south or west would mean putting in potentially hundreds of miles of “up-grade” with as far as memory serves the nearest major node in existence being north of Leatherhead just inside the M25 at “Telegraph Hill” a mile down the road from “Chestington World of Adventures”. The major problem being that due to the airport, rather more than “the last mile” would have to be taken significantly “underground” due to the issue of “aircraft” dropping in on the wrong address. So the least expensive “pylon” option is out.

But… that entire area is “ear marked for expansion” successive UK Governments want to add at least one if not two extra runways and way more than double the flight capacity as well as allow for rather larger aircraft. So utility “upgrades” and “enhancements” and even maintainence have been “put on hold” till a real plan is in place. Which has not happend and may now not… Because the “locals” or “NIMBYs” as some civil servants call them have been fighting such plans tooth and nail since last century so far fairly successfully.

And as someone who currently lives within a good walk of that area and is also an engineer with some “mega-project” experience, I know that I will unfortunately be effected as will the majority of people that live in the outer south west quadrant of London. Also it looks like the “old civil servants” behind it have “gone to pasture” or fertilizer and their replacements are pushing out upgrades to other existent “London Airports” and regional airports… Thankfully now “The boris has past” his “airport in the Thames” idea has likewise been killed off by public demand.

There is however one completely mad sounding option of putting such cables “under water”… Have a look at the *River Thames” and the “Grand Union Canal” in relation to that area and the airport in specific. Late last century I was involved indirectly with using them to do “millennium construction” as a way to get supplies into areas of London where other methods were not practical.

ResearcherZero March 22, 2025 5:20 AM

@Clive Robinson

Some of the old copper phone lines have been in the ground for 50 years and the ducts are starting to crumble as the concrete crumbles due to weathering and people parking their cars on top of them. The National Broadband Network was originally designed to be a fiber network, but this was compromised after another government was elected. The new government decided to cut corners in an attempt to save money, by using existing copper for a network with terabit data demands. Due to compromises in the design to support the existing copper,
they were soon forced to begin replacing copper as the network quickly reached capacity.

Basically, this had lead to final costs now more than doubling due to that decision.

But at least, as far as we know, they are not considering sharing 0-plans with Musk.

ResearcherZero March 22, 2025 5:44 AM

@lurker, Clive Robinson

The civil engineers at town planning spend years drawing up plans to reduce congestion, with better design, distribution and improved planning of infrastructure, before building and development begins. Of course the politicians ignore all of that planning – which cost tens of millions per city planning department – and instead make unplanned announcements.

Politicians also let developers build first, then they try and figure out how to add infrastructure later, instead of referring to the prior planning department work. Later the politicians call the very same ineffective roads “goat tracks”, which they built without consideration. Then the politicians announce a massive expansion to their “goat tracks”.

Finally the two major political parties blame each other for their own mistakes that both the parties themselves were responsible for and made even worse through unplanned changes, cost cutting and underfunded repairs, maintenance and staffing cuts. Due to patch-work repairs and improper maintenance, the infrastructure rapidly breaks down and crumbles.

Thames Water is a good example of an improperly funded and understaffed public utility.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.