BleepingComputer reports that vulnerable TP-Link Archer AX21 routers impacted by the year-old high-severity unauthenticated command injection flaw, tracked as CVE-2023-1389, have been targeted by at least six botnets.
Attempted daily attacks exploiting the vulnerability, which had already been addressed by TP-Link last March, reached up to 50,000 last month, with intrusions deploying variants of the Mirai and Gafgyt botnets, as well as the AGoent, Condi, Moobot, and Miori payloads, all of which differed in how they enabled device takeovers and malicious activities, a report from Fortinet revealed.
While AGoent, Moobot, Miori, and Mirai have been downloading ELF files to facilitate compromise, only Mirai obscured operations by ending packet analysis whereas the others moved to delete files that contained traces of activity, according to researchers.
On the other hand, the Gafgyt variant enabled distributed denial-of-service attacks through Linux binary-executing scripts while Condi allowed more severe compromise through a downloader script that also sought to strengthen network persistence.
