Ballista Botnet Exploits TP-Link Router Flaw, Infecting 6,000+ Devices
A new botnet, Ballista, is exploiting a high-severity vulnerability (CVE-2023-1389) in unpatched TP-Link Archer AX-21 routers, infecting over 6,000 devices. The vulnerability allows remote code execution, enabling Ballista to spread automatically via command injection. The botnet targets manufacturing, medical, services, and technology organizations, predominantly in Brazil, Poland, the UK, Bulgaria, and Turkey, but also impacting the US, Australia, China, and Mexico. Ballista uses a malware dropper and shell script to execute its main binary, establishing a C2 channel to control infected devices and perform DoS attacks and sensitive file reading. Researchers suspect an Italian origin, but the use of Tor networks suggests ongoing development and active evasion techniques.