Over 6,000 Routers Still Vulnerable As Ballista Botnet Expands

A newly discovered botnet called Ballista is actively targeting TP-Link Archer routers, exploiting a known security flaw to spread across the internet, according to cybersecurity researchers at Cato Networks.

The botnet takes advantage of a firmware vulnerability, tracked as CVE-2023-1389, which allows attackers to gain remote access to unpatched TP-Link routers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already flagged the flaw, urging agencies to patch their devices. Despite this, more than 6,000 vulnerable routers remain online, according to a search on cybersecurity platform Censys.

Cato Networks first detected the Ballista campaign on January 10, noting several infiltration attempts, with the latest recorded on February 17.

The botnet’s malware lets attackers execute commands on compromised devices, raising concerns that its creator—who is believed to be based in Italy—may have larger goals beyond typical botnet operations.

“We suspect we caught this campaign in its early stages,” said Matan Mittelman, threat prevention team leader at Cato Networks, as reported by The Record.  “We saw it evolving, as within a short timeframe, the threat actor changed the initial dropper to allow stealthier connections to the C2 server through the Tor network,” he added.

Ballista has already targeted organizations in manufacturing, healthcare, technology, and services across the U.S., Australia, China, and Mexico. The malware completely takes over infected routers, reads their configuration files, and then spreads to other devices.

Cato’s security team also found evidence that the botnet may be capable of data theft. While the original IP address linked to the hacker is no longer active, researchers discovered an updated version of the malware on GitHub, indicating that the attack campaign is evolving.

Cato researchers noted that the campaign appears to be growing more sophisticated. While the malware shares some traits with other botnets, it remains distinct from well-known ones like Mirai and Mozi.

The persistent targeting of internet routers by hackers is nothing new. Experts say IoT devices like routers are prime targets due to weak passwords, poor maintenance, and a lack of automatic security updates.

Mittelman explained that over the years, major IoT botnets such as Mirai and Mozi have demonstrated how easily routers can be exploited, and threat actors have taken advantage of this.

He highlighted two key factors that have contributed to the issue: users often neglect to update the firmware on their routers, and router vendors generally fail to prioritize security.

TP-Link routers have been a recurring security concern. The Wall Street Journal recently reported that U.S. agencies are considering banning them due to repeated exploitation by Chinese hackers.