Introduction

Last month’s Sensor Intel Series for March 2024 uncovered the explosion in traffic hunting for systems affected by CVE-2023-1389. The flaw which related to TP-Link Archer AX21 Wi-Fi routers has quickly become the new darling of threat actors looking to build out their DDoS botnets.

No new signatures have been introduced this month. Instead, we worked with F5 Threat Campaigns to dig for vulnerabilities without associated CVEs.

• Threat attackers continue their explosive build out of botnets by exploiting CVE-2023-1389
• This TP-Link router vulnerability continues to grow rapidly, accounting for 40% of all scanning activity in April 2024
• Just seven CVE’s, including the TP-Link vuln, are responsible for almost 80% of all malicious traffic hitting Efflux sensors
• CVE-2020-11625, which afflicts the JetBrains YouTrack application, continues its decline. Once in the top spot only a few months ago, this now sits at number five in our Top CVE list.
• A remote code execution (RCE) vulnerability with an unassigned CVE is affecting Netgear DGN1000 devices. Whilst unspotted in sensor traffic this is currently the top exploited vulnerability being observed on the F5 Threat Campaigns map.

Malicious Internet Scanning in April 2024

While total scanning traffic is down by almost a third compared with this time last year, it is clear that the traffic which remains is highly focused on seeking out vulnerable IoT devices to subsume into a botnet.

Building DDoS Botnets with TP-Link and Netgear Routers

As we reported in March 2024, CVE-2023-1389 has seen rapid growth in related scanning activity, and that trend only continued in April 2024. This command injection vulnerability in the firmware for the TP-Link Archer AX21 Wi-Fi router accounts for 40% of all traffic hitting our sensors. Exploit code for this CVE indicates that attackers are taking over weak IoT devices to include in Mozi botnets.

The Mozi DDoS Botnet

Mozi has been linked to a wide number of vulnerable IoT devices, including routers from Netgear, Huawei, D-Link, GPON, and TP-Link. The Mozi botnet uses a peer to peer (P2P) method of communication similar to that found in the popular Torrent protocol. The use of P2P networking and encrypted communication using ECDSA384 allows the botnet to hide the payload of malicious traffic and protect the integrity of the bot’s network.

The Mozi botnet is believed to focus its efforts almost exclusively on distributed denial of service (DDoS) floods, and is able to launch HTTP, TCP, UDP, and other attacks.

CVE-2023-1389 and TP-Link devices are not entirely to blame for the rapid growth of this botnet, however. Netgear devices have also been found to be widely exploited and while CVEs have been issued for some devices, such as CVE-2016-6277, some have not. The F5 Threat Campaigns Map shows heavy exploitation of the Netgear DGN1000 WiFi router, showing activity from 15 unique locations over the world. Along with active botnet activity targeting Netgear devices, Threat Campaigns is also tracking other active exploitation of GPON routers, also linked to the Mozi botnet. GPON vulnerability CVE-2020-8958 is, as you can tell from the CVE identifier, not especially new, but despite its age it remains in high demand by threat actors, and is still number 7 in our top attacked CVE list (Figure 1).

That the top vulnerability tracked by the Threat Campaign team does not have an assigned CVE (and does not appear in our list) is a good reminder that multiple intelligence sources should be combined to build an accurate view of the threat landscape.

Top Attacked CVEs for April 2024

The TP-Link vulnerability CVE-2023-1389 remains in the top spot for April (Figure 1) and clearly shows the extent to which this CVE overshadows all other traffic. For April 2024, the vast majority of all scanning traffic for the month, 79%, can be attributed to just seven vulnerabilities (see Table 1 for a full breakdown).