The MANGA botnet operators have been found manipulating a recent exposure in the TP-Link TL-WR840N EU V5 that permits remote code performance.
The abused flaw
Botnets support editing and boosting their abilities, targeting recently discovered vulnerabilities to complete illicit activities.
- This time MANGA is exploiting a bug followed by CVE-2021-41653 that causes weak host variables to run commands on the device.
- A researcher posted a proof of idea used for the flaw on November 12, and clearly, not everyone was involved in the patch.
- Later, MANGA began exploiting the spot just two weeks after TP-Link removed the firmware update.
The exploitation process
MANGA operators are exploiting the RCE spot to move the devices to download and run a negative script.
- The malicious script, when run, downloads the major binary payloads with two proposals.
- However, the players still need authentication for this exploit, which is uncomplicated to overcome if the machine has default certificates.
- Just like the primary variant of Mirai, MANGA recognizes contaminated
- machines' architecture and downloads corresponding payloads. Thereafter, it blocks relations to most targeted ports to stop other botnets from contaminating the charged device.
- Ultimately, the botnet waits from the C2 server to carry out a Denial-of-Service attack.
It is to be mentioned that TP-Link had already fixed the flaw by removing a firmware update in November.
specialists recommend always reworking devices regularly and changing the password with stroUnpatched machines may, now more often than ever, direct to dangerous results. Therefore, ng ones.
If you have any doubt about the above topic don’t hesitate to contact us through the given email.Airzero sec will be your digital partner.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/