Fortinet researchers point at a new DDoS botnet called Condiexploiting a critical vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots.

This network is rented for malicious DDoS attacks while selling its botnet source code and other tools for quick money. TP-Link released an update to patch this vulnerability, and the users of Archer AX21 routers are advised to apply it immediately.

Security Bug in TP-Link Routers

Supporting the ZDI’s report earlier this year, Fortinet researchers this week state that TP-Link’s Archer AX21 routers are being exploited in the wild of a security bug – that lets threat actors breach their hardware and use them as bots.

They also discussed a new DDoS botnet service named Condi, which emerged last month, targeting the TP-Link Archer AX21 (AX1800) Wi-Fi routers. Researchers claim that the Condi group exploits a security bug (CVE-2023-1389) in AX21 routers to build an army of bots to conduct DDoS attacks.

The gang starts with scanning the internet for public IPs with open ports 80 or 8080 and sends a hardcoded exploitation request to download and execute a remote shell script. Other samples also indicated the botnet spreading through an available ADB port (TCP/5555).

After infecting, the malware attempts to kill any of its competitors’ processes on the host device and stops older versions of itself. And since it doesn’t have a persistence mechanism to survive between device reboots, Condi malware kills the concerned restarting or shutdown functions of the device.

After the Mirai botnet, Condi is the latest threat actor to exploit this vulnerability, say researchers. Well, TP-Link has released an update to patch this bug in March 2023 and advises users of Archer AX21 routers to apply it immediately.

If you’re unsure of getting infected by Condi, look for signs like device overheating, network disruptions, inexplicable changes in a device’s network settings, and admin user password resets. If you find suspicion in any of these, reset and apply the available update immediately.