Dark Mirai (also known as MANGA) has been seen exploiting a new vulnerability in the TP-Link TL-WR840N EU V5, a popular low-cost home router launched in 2017. The vulnerability is identified as CVE-2021-41653, and it is caused by an insecure ‘host’ variable that an authorized user may exploit to run commands on the device. On November 12, 2021, TP-Link issued a firmware update (TL-WR840N(EU) V5 211109) to address the problem.
Threat actors exploited the vulnerability when the researcher who identified it published a proof of concept (PoC) used for the RCE. According to Fortinet researchers who have been tracking Dark Mirai activities, the botnet added the RCE to its arsenal just two weeks after TP-Link published the firmware upgrade.
The perpetrators behind Dark Mirai use CVE-2021-41653 to induce devices to download and run a malicious script called “tshit.sh,” which then downloads the primary binary payloads through two requests. The actors must still authenticate for this attack to succeed, but exploiting the vulnerability becomes straightforward if the user has left the device with default credentials.
MANGA, like normal Mirai, recognizes the architecture of the infected system and retrieves the appropriate payload. Then, to prevent other botnets from gaining control of the captured device, it restricts connections to regularly targeted ports. Finally, the malware awaits an order from the C&C (command and control) server to launch a denial-of-service (DoS) attack. Mirai may be no longer active, but its code has spawned a slew of new botnets that are wreaking havoc on unprotected devices.
Do the following to protect your router against old and new Mirai variants, as well as any other botnet:
- Regularly check the DNS settings
- As soon as feasible, install all available firmware and security upgrades
- Turn off all remote management options
- If you’re not using UPnP or WPS, turn them off
- Replace the default administrator credentials with a password that is at least 20 characters long
- Activate firewalls, which are frequently turned off by default on residential routers
- Replace your router with a new one if it is obsolete and no longer supported by the vendor
- On the management page, change your subnet address and enable SSL
