A new IoT botnet that exploits a remote code execution (RCE) flaw in TP-Link Archer routers has been targeting U.S. organizations since January, with thousands of Internet-connected devices still at risk.
The news of the emerging botnet, dubbed Ballista and believed to be the work of Italian threat actors, comes as U.S. lawmakers mull a ban on TP-Link routers over concerns of suspected connections to the Chinese government.
Researchers at security firm Cato Networks have been tracking Ballista after they first identified it on Jan. 10 and attributed it to Italian threat actors based on an IP address location and other clues. Over the course of a few weeks, the researchers detected several initial access attempts, with the most recent effort taking place on Feb. 17. However, they believe the botnet is still active, they said in a blog post published Tuesday, and has targeted organizations in the manufacturing, medical/healthcare, services, and technology industries .
“The initial payload includes a malware dropper (specifically, a bash script) that downloads the malware” to control the compromised device, Cato Networks researchers Matan Mittelman and Ofek Vardi wrote. The flaw exploited by attackers is a command injection vulnerability tracked as CVE-2023-1389, which was first disclosed and patched in March 2023.
Thirty-three percent of organizations targeted by Ballista were located in the U.S., Cato Networks’ Mittelman, threat prevention team leader, said via email. Other countries where the botnet was active include Australia, China and Mexico.
The emergence of the Ballista botnet now underscores the growing cyber threat from attackers, Chinese and otherwise, that abuse TP-Link devices for nefarious purposes, security experts said. This may require organizations with the company’s devices in their network to plan for unscheduled technology migrations, noted John Bambenek, president of security firm Bambenek Consulting.
“There may not be a great deal of time given to contractors to make changes, and these devices are often core network equipment, [making it] painful to do a wholesale swap-out,” he told Cybersecurity Dive via email.
Ban on TP-Link routers imminent?
Congress is considering a ban on Chinese-made routers such as those from TP-Link, with lawmakers urging last week in a meeting of the House of Representatives’ select committee on China that people in the U.S. should remove them from their homes.
Testifying before the committee, former director of cybersecurity at the National Security Administration (NSA) Rob Joyce accused China of undercutting the market for routers in the U.S. to vault TP-Link to the top of market share for its own nefarious purposes.
He cited as evidence documented attacks from Chinese nation-state threat groups Volt Typhoon, Salt Typhoon and Flax Typhoon, which used routers from the company to create botnets to infiltrate U.S. critical infrastructure, He urged the elimination of TP-Link’s footprint in the U.S. as part of “ensuring other PRC capabilities are not enabled in our infrastructure.”
A TP-Link executive pushed back on this portrayal of the company’s technology and defended the ethics of the company. “Witnesses at the hearing didn’t present a shred of evidence that TP-Link is linked to the Chinese government, and we are not,” Jeff Barney, president of TP-Link Systems Inc., said in a statement.
However, the concern of U.S. lawmakers about TP-Link routers is backed by documented research, as Chinese hackers have in the past hijacked the company’s devices for botnet campaigns and other malicious purposes, according to the Foundation for Defense of Democracies (FDD), a Washington, D.C.-based research institute.
