A newly identified botnet, named “Ballista,” is actively exploiting a critical remote code execution (RCE) vulnerability in unpatched TP-Link Archer AX21 routers.
This vulnerability, tracked as CVE-2023-1389, allows attackers to inject commands remotely, leading to unauthorized control over affected devices.
Since its detection on January 10, 2025, the Ballista botnet has compromised over 6,000 devices worldwide. The infections are predominantly concentrated in Brazil, Poland, the United Kingdom, Bulgaria, and Turkey.
Notably, the botnet has targeted organizations across various sectors, including manufacturing, healthcare, services, and technology, in countries such as the United States, Australia, China, and Mexico.
The attack sequence begins with a malware dropper, a shell script (“dropbpb.sh”), designed to fetch and execute the main binary on the target system for various system architectures such as mips, mipsel, armv5l, armv7l, and x86_64.
Once executed, the malware establishes an encrypted command-and-control (C2) channel on port 82, allowing attackers to run shell commands, conduct further RCE, and perform denial-of-service (DoS) attacks.
Additionally, the malware attempts to read sensitive files on the local system and spreads to other routers by exploiting the same vulnerability.
Analysis suggests a potential link between the Ballista botnet and an Italian-based threat actor. This assessment is based on the IP address location of the command-and-control server and Italian language strings found within the malware binaries.
Recommendations
To protect against the Ballista Botnet and similar threats, users and organizations are advised to:
- Update Firmware: Ensure that TP-Link Archer AX21 routers are running the latest firmware version. TP-Link has released updates addressing CVE-2023-1389, which are available on their official website.
- Change Default Credentials: Replace default usernames and passwords with strong, unique credentials to prevent unauthorized access.
- Disable Unnecessary Services: Turn off services and features that are not in use, reducing potential entry points for attackers.
- Monitor Network Activity: Regularly monitor network traffic for unusual activity, which could indicate a compromised device.
Implementing these measures can significantly enhance the security of devices and networks, mitigating the risk posed by botnets like Ballista.
