Get in Touch
Indiscriminate, opportunistic attacks
A newly emerged malware, first observed in May 2023, has been seen exploiting the known remote code execution (RCE) vulnerability CVE-2023-1389 discovered in March for the TP-Link Archer AX21 to build a distributed denial-of-service (DDoS) botnet to be sold as a service.
The malware works by initially exploiting the known RCE vulnerability, followed by the deletion of the shutdown and restart scripts within the router to prevent mitigation, as the malware has no other known persistence methods. The malware also employs methods for shutting down older versions of Condi and other botnets that may already be running.
Successful execution of the malware could lead to a user’s network being used by threat actors that purchase use of the service for malicious DDoS attacks as part of a campaign on another user or organisation. The DDoS attacks are also implemented for the purposes of causing disruption to target networks.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against threats such as ‘Condi’. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.
TP-Link Archer AX21 router.
Containment, Mitigations & Remediations
As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.
All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.
Indicators of Compromise
Condi associated file hashes (SHA256):
This exploitation is one of many publicly available DDoS services that allow even non-technical users to employ powerful DDoS attacks on a particular IP address range to disrupt or completely shut down traffic on a network through overloading of requests. These attacks have been prevalent for an extensive period due to their simplicity of execution and effectiveness.
The threat actor group known as Condi has been providing the DDoS botnet as a service and selling the source code of the malware since May 2022.
T1583.005 – Botnet
T1588.006 – Vulnerabilities
T1499 – Endpoint Denial of Service