Full Report
Researchers at Cato Networks said that during a recent investigation into router vulnerabilities, they discovered a new botnet — which they named Ballista — infecting TP-Link Archer devices.
Analysis Summary
# Vulnerability: TP-Link Archer Router Firmware Vulnerability Used in Ballista Botnet
## CVE Details
- CVE ID: CVE-2023-1389
- CVSS Score: Not explicitly stated, but presence on CISA's KEV catalog implies high severity.
- CWE: Not explicitly stated in the text.
## Affected Systems
- Products: TP-Link Archer routers (specifically models AX21 or AX1800 mentioned in relation to the patch).
- Versions: Unpatched firmware versions.
- Configurations: Default configurations, especially those with weak passwords or unmaintained firmware.
## Vulnerability Description
The vulnerability, tracked as CVE-2023-1389, exists in the firmware of TP-Link Archer routers. Successful exploitation allows the Ballista botnet malware to spread automatically over the internet between vulnerable, unpatched devices. Once infected, the malware takes full control of the device, reads configuration files, sets up encrypted links, and grants the attacker the ability to run arbitrary commands. There is also evidence suggesting the threat actor may deploy tools to potentially steal data from infected networks.
## Exploitation
- Status: Exploited in the wild. CISA has confirmed its exploitation and mandated patching for US federal agencies.
- Complexity: Implied Low/Medium, as the botnet is actively spreading automatically over the internet.
- Attack Vector: Network (Remote exploitation over the Internet).
## Impact
- Confidentiality: High (Potential for data theft/arbitrary command execution).
- Integrity: High (Full device takeover/arbitrary command execution).
- Availability: Medium to High (Device compromised, potential for use in large-scale DDoS or other attacks).
## Remediation
### Patches
- Specific patch information tied to CVE-2023-1389 for TP-Link Archer AX21/AX1800 models should be sought directly from the TP-Link advisory. (Patches are available, as CISA has mandated action.)
### Workarounds
- Apply the latest firmware update from TP-Link immediately.
- Ensure strong, unique passwords are used on the router, although this vulnerability exploitation appears to be independent of default passwords.
- Isolate or remove unpatched devices from the network if patching cannot be immediately applied.
## Detection
- Indicators of Compromise: Devices sending unusual network traffic indicative of C2 communication (potentially via Tor), or devices exhibiting behavior associated with botnet participation (e.g., large outbound traffic spikes).
- Detection methods and tools: Monitoring network traffic for known Ballista C2 signatures or using vulnerability scanners to check for the presence of CVE-2023-1389. Initial identification by Cato Networks was based on malicious ingress attempts.
## References
- Vendor/Security Reports:
- catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/ (Defanged)
- cisa.gov/known-exploited-vulnerabilities-catalog (Defanged - search for CVE-2023-1389)