Sensor Intel Series

Building DDoS Botnets with TP-Link and Netgear Routers

Threat actors double down with their botnet building efforts. Vulnerable Netgear routers join exploitable TP-Link and other IoT devices, expanding attacker DDoS capabilities.
By David Warburton (additional contributions by Malcolm Heath)
May 22, 2024
5 min. read
Previous article in this series

The Sensor Intel Series is created in partnership with Efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry.

Additional insights and contributions provided by the F5 Threat Campaigns team.

Introduction

Last month’s Sensor Intel Series for March 2024 uncovered the explosion in traffic hunting for systems affected by CVE-2023-1389. The flaw which related to TP-Link Archer AX21 Wi-Fi routers has quickly become the new darling of threat actors looking to build out their DDoS botnets.

No new signatures have been introduced this month. Instead, we worked with F5 Threat Campaigns to dig for vulnerabilities without associated CVEs.1

  • Threat attackers continue their explosive build out of botnets by exploiting CVE-2023-1389
  • This TP-Link router vulnerability continues to grow rapidly, accounting for 40% of all scanning activity in April 2024
  • Just seven CVE’s, including the TP-Link vuln, are responsible for almost 80% of all malicious traffic hitting Efflux sensors
  • CVE-2020-11625, which afflicts the JetBrains YouTrack application, continues its decline. Once in the top spot only a few months ago, this now sits at number five in our Top CVE list.
  • A remote code execution (RCE) vulnerability with an unassigned CVE is affecting Netgear DGN1000 devices. Whilst unspotted in sensor traffic this is currently the top exploited vulnerability being observed on the F5 Threat Campaigns map.

Malicious Internet Scanning in April 2024

While total scanning traffic is down by almost a third compared with this time last year, it is clear that the traffic which remains is highly focused on seeking out vulnerable IoT devices to subsume into a botnet.

Building DDoS Botnets with TP-Link and Netgear Routers

As we reported in March 2024, CVE-2023-1389 has seen rapid growth in related scanning activity, and that trend only continued in April 2024. This command injection vulnerability in the firmware for the TP-Link Archer AX21 Wi-Fi router accounts for 40% of all traffic hitting our sensors. Exploit code for this CVE indicates that attackers are taking over weak IoT devices to include in Mozi botnets.2

The Mozi DDoS Botnet

Mozi has been linked to a wide number of vulnerable IoT devices, including routers from Netgear, Huawei, D-Link, GPON, and TP-Link.3 The Mozi botnet uses a peer to peer (P2P) method of communication similar to that found in the popular Torrent protocol. The use of P2P networking and encrypted communication using ECDSA384 allows the botnet to hide the payload of malicious traffic and protect the integrity of the bot’s network.

The Mozi botnet is believed to focus its efforts almost exclusively on distributed denial of service (DDoS) floods, and is able to launch HTTP, TCP, UDP, and other attacks.

CVE-2023-1389 and TP-Link devices are not entirely to blame for the rapid growth of this botnet, however. Netgear devices have also been found to be widely exploited and while CVEs have been issued for some devices, such as CVE-2016-6277, some have not.4 The F5 Threat Campaigns Map shows heavy exploitation of the Netgear DGN1000 WiFi router, showing activity from 15 unique locations over the world.5 Along with active botnet activity targeting Netgear devices, Threat Campaigns is also tracking other active exploitation of GPON routers, also linked to the Mozi botnet. GPON vulnerability CVE-2020-8958 is, as you can tell from the CVE identifier, not especially new, but despite its age it remains in high demand by threat actors, and is still number 7 in our top attacked CVE list (Figure 1).

That the top vulnerability tracked by the Threat Campaign team does not have an assigned CVE (and does not appear in our list) is a good reminder that multiple intelligence sources should be combined to build an accurate view of the threat landscape.

Top Attacked CVEs for April 2024

The TP-Link vulnerability CVE-2023-1389 remains in the top spot for April (Figure 1) and clearly shows the extent to which this CVE overshadows all other traffic. For April 2024, the vast majority of all scanning traffic for the month, 79%, can be attributed to just seven vulnerabilities (see Table 1 for a full breakdown).

Figure 1. Top attacked CVEs in April 2024.

The Sankey diagram in Figure 2 is a more insightful look at the same data. It shows top attacked CVEs over time and is a useful way to quickly identify trends such as the explosion in traffic searching for CVE-2023-1389. The ramp up began in December 2023 when the vulnerability was announced and has been gaining in rank (and total traffic volume) ever since.

Figure 2. Top CVE scanning trends for the past 12 months.

Figure 2. Top CVE scanning trends for the past 12 months.

The full list of CVEs along with traffic counts, and associated CVSS v3 and Exploit Prediction Scoring System (EPSS) scores can be found in Table 1 (Appendix). EPSS scores provide a way to predict how likely it is a given vulnerability will be seen. For those that need a refresher, check our explainer article F5 Labs Joins the Exploit Prediction Scoring System as a Data Partner.

Of the 119 vulnerabilities we tracked across April 2024, 107 had EPSS scores of 0.87 or higher, indicating high likelihood of exploitation. Of the top 10 CVEs ( Figure 1) only two had low EPSS scores. The GeoServer (JT-Jiffle) deserialization RCE (CVE-2022-24847) had a score of just 0.40609 while the JetBrains YouTrack vulnerability (CVE-2020-11625) scored only 0.46926. The low EPSS scores imply that the likelihood of encountering these exploits attempts is relatively low. This certainly corroborates our findings of the decline in traffic targeting CVE-2020-11625. However, while total volume aiming for CVE-2022-24847 is low compared with some other vulnerabilities, it is remaining consistent and shows no sign of significant decline over time.

The plots for the top attacked CVEs, shown in Figure 3, is a great way to easily identify the big changes in individual CVE exploitation. In it we can see the steady decline of CVE-2020-11625 which began in January of 2024 after its explosive growth back in November 2023.

The decline in traffic targeting CVE-2020-11625, and the drop in relative top-10 position for CVE-2022-24847 (see Figure 2, above), are likely reasons for their current low EPSS scores.

Figure 3. Individual plots per top attacked CVE in April 2024.

Figure 3. Individual plots per top attacked CVE in April 2024.

Table 1 contains the full count of malicious traffic volumes as well as the CVSS v3 and EPSS scores for each CVE. It’s not until we visualize the data, however, that we see the obvious pattern hiding in plain sight (Figure 4). The overwhelming majority of scanned CVEs can be attributed to high (CVSSv3 >7.0) and critical (CVSSv3 >9.0) vulnerabilities.

Scanned CVEs by CVSS Ranking
Figure 4. CVSS rankings as a proportion of scanner traffic.

This seems logical. A high/critical CVSS score is typically awarded to a CVE when it is remotely accessible, and exploitable with relative ease: just the kinds of vulnerabilities that attackers love to scan for. Minimal effort, maximum reward. It is no wonder, then, that much of the scanning activity we see is targeting home routers. They are deployed en masse by ISPs, have high bandwidth connections, and commonly feature remote configuration web apps or APIs which are ripe for abuse.

Conclusion

Subsuming vulnerable IoT devices into global botnets continues to be the top activity for malicious internet wide scans. Patching against known CVEs is essential for anyone owning a vulnerable device. It is important for everyone to be aware of why these botnets continue to be built out: increasing denial of service (DoS) capabilities. Consider what DDoS defences you have and what their strengths and weaknesses are.

Previous article in this series

Recommendations

Technical
Preventative
  • Scan your environment for vulnerabilities aggressively.
  • Patch high-priority vulnerabilities (defined however suits you) as soon as feasible.
  • Engage a DDoS mitigation service to prevent the impact of DDoS on your organization.
Technical
Detective
  • Use a WAF or similar tool to detect and stop web exploits.
  • Monitor anomalous outbound traffic to detect devices in your environment that are participating in DDoS attacks.

Appendix

This data is now also available in CSV format in the F5 Labs Github repo TopCVEs.

CVE Scanning Data
CVE Number April Traffic CVSS v3.x EPSS Score
CVE-2023-1389 9827 8.8 0.93874
CVE-2017-9841 2304 9.8 0.99972
CVE-2022-24847 2293 7.2 0.40609
CVE-2022-22947 1686 10.0 0.99972
CVE-2020-11625 1344 5.3 0.46926
CVE-2022-42475 1135 9.8 0.97205
CVE-2020-8958 772 7.2 0.98195
CVE-2022-41040/CVE-2021-34473 595 9.8 0.99637
CVE-2019-9082 446 8.8 0.99952
CVE-2021-28481 432 9.8 0.92372
CVE-2020-0618 352 8.8 0.99876
CVE-2018-0296 322 7.5 0.99925
CVE-2018-10561 315 9.8 0.9977
CVE-2021-44228 282 10.0 0.99998
CVE-2021-26855 274 9.8 0.99979
CVE-2021-3129 244 9.8 0.99956
CVE-2014-2908 224 NA n/a
Citrix XML Buffer Overflow 220 NA n/a
CVE-2022-47945 213 9.8 0.92145
CVE-2021-26084 132 9.8 0.99949
CVE-2019-18935 124 9.8 0.98991
CVE-2021-40539 124 9.8 0.99981
CVE-2018-13379 98 9.8 0.99895
NETGEAR-MOZI 97 NA n/a
CVE-2021-26086 86 5.3 0.98852
CVE-2017-1000226 77 5.3 0.39713
CVE-2019-1653 61 7.5 0.99999
2018 JAWS Web Server Vuln 57 NA n/a
CVE-2020-25506 46 9.8 0.99914
CVE-2017-12149 24 9.8 0.99818
CVE-2014-2321 15 NA n/a
CVE-2017-18368 14 9.8 0.99986
CVE-2020-24949 14 8.8 0.99184
CVE-2018-9995 11 9.8 0.98782
CVE-2019-12725 11 9.8 0.99544
CVE-2017-10271 10 7.5 0.99937
CVE-2007-3010 9 NA n/a
CVE-2014-6287 8 9.8 n/a
CVE-2022-26134 8 9.8 0.99991
CVE-2020-28188 7 9.8 0.99863
CVE-2020-5902 7 9.8 0.99999
CVE-2020-9757 7 9.8 0.99529
CVE-2015-4074 5 7.5 n/a
CVE-2015-8813 5 8.2 n/a
CVE-2014-9792 4 7.8 n/a
CVE-2020-7961 4 9.8 0.99963
CVE-2021-21985 4 9.8 0.99902
CVE-2021-29203 4 9.8 0.99383
CVE-2022-40684 4 9.8 0.99793
CVE-2017-0929 3 7.5 0.80923
CVE-2017-11511 3 7.5 0.97027
CVE-2017-11512 3 7.5 0.99811
CVE-2017-17731 3 9.8 0.90031
CVE-2018-17246 3 9.8 0.99534
CVE-2018-7600 3 9.8 1
CVE-2022-22965 3 9.8 0.9997
CVE-2018-1000600 2 8.8 0.99107
CVE-2019-2588 2 4.9 0.9612
CVE-2019-2767 2 7.2 0.95789
CVE-2020-17496 2 9.8 0.99956
CVE-2020-25213 2 9.8 0.99915
CVE-2020-3452 2 7.5 0.9997
CVE-2020-7796 2 9.8 0.98019
CVE-2021-23394 2 9.8 0.87435
CVE-2021-25003 2 9.8 0.97664
CVE-2021-25369 2 6.2 0.45482
CVE-2021-27065 2 7.8 0.99539
CVE-2021-32172 2 9.8 0.96889
CVE-2021-33357 2 9.8 0.99646
CVE-2022-0885 2 9.8 0.96833
CVE-2022-1040 2 9.8 0.99943
CVE-2022-21587 2 9.8 0.999
CVE-2023-25157 2 9.8 0.97742
CVE-2018-20062 1 9.8 0.9964
CVE-2018-20463 1 7.5 0.90996
CVE-2019-12987 1 9.8 0.99852
CVE-2019-12988 1 9.8 0.99852
CVE-2019-2725 1 9.8 1
CVE-2019-9670 1 9.8 0.99979
CVE-2020-25078 1 7.5 0.98392
CVE-2021-31589 1 6.1 0.68595
CVE-2005-3128 0 NA n/a
CVE-2008-2052 0 NA n/a
CVE-2008-6668 0 NA n/a
CVE-2009-1872 0 NA n/a
CVE-2011-4926 0 NA n/a
CVE-2012-1823 0 NA n/a
CVE-2012-4940 0 NA n/a
CVE-2013-6397 0 NA n/a
CVE-2014-4535 0 6.1 n/a
CVE-2015-3897 0 NA n/a
CVE-2016-1000149 0 6.1 0.45745
CVE-2016-4945 0 6.1 0.58122
CVE-2017-9506 0 6.1 0.7783
CVE-2018-18775 0 6.1 0.5101
CVE-2018-7700 0 8.8 0.9752
CVE-2019-16057 0 9.8 0.99987
CVE-2019-8982 0 9.8 0.88114
CVE-2020-0688 0 8.8 0.99801
CVE-2020-13167 0 9.8 0.99942
CVE-2020-15505 0 9.8 0.9999
CVE-2020-17453 0 6.1 0.82047
CVE-2020-17505 0 8.8 0.99451
CVE-2020-17506 0 9.8 0.99304
CVE-2020-22211 0 9.8 0.96022
CVE-2020-27982 0 6.1 0.64945
CVE-2020-9344 0 6.1 0.58261
CVE-2021-20167 0 8.0 0.99261
CVE-2021-21315 0 7.8 0.99836
CVE-2021-21801 0 6.1 0.98383
CVE-2021-33564 0 9.8 0.94425
CVE-2021-3577 0 8.8 0.99411
CVE-2021-38702 0 6.1 0.83956
CVE-2021-41277 0 10.0 0.99382
CVE-2022-0653 0 6.1 0.58375
CVE-2022-22954 0 9.8 0.99955
CVE-2022-35914 0 9.8 0.9991
CVE-2022-40734 0 6.5 0.93863
CVE-2023-25651 0 8.0 0.05325
Table 1 CVEs scanned in April 2024
Join the Discussion
Authors & Contributors
David Warburton (Author)
Director, F5 Labs
About David All Articles
Malcolm Heath (Contributor)
Sr. Threat Researcher
About Malcolm All Articles
Footnotes

1https://threatcampaignsmap.f5.com/

2https://nvd.nist.gov/vuln/detail/CVE-2023-1389

3https://www.bleepingcomputer.com/news/security/new-mozi-p2p-botnet-takes-over-netgear-d-link-huawei-routers/

4https://kb.netgear.com/000036386/CVE-2016-582384

5https://threatcampaignsmap.f5.com/

6https://github.com/F5-Labs/topcves

TAGS: CVE-2017-18368 Hacktivism CVE-2018-17246 CVE-2019-12725 CVE-2018-7600 Active Scanning (T1595) CVE-2020-7961 CVE-2022-22965 CVE CVE-2022-26134 Direct Network Flood (T1498.001) CVE-2018-1000600 CVE-2021-3129 DDoS Attacks Network Service Discovery (T1046) Layer 4 - Transport CVE-2018-9995 CVE-2017-0929 CVE-2018-10561 CVE-2020-7796 Rootkit (T1014) CVE-2022-40684 2018 JAWS Web Server Vuln CVE-2022-21587 CVE-2017-10271 CVE-2021-31589 CVE-2019-9082 CVE-2019-2725 Citrix XML Buffer Overflow Asymmetric Cryptography (T1573.002) CVE-2020-17496 CVE-2019-2588 CVE-2020-8958 CVE-2017-17731 CVE-2022-22947 Exploitation for Privilege Escalation (T1068) CVE-2019-1653 CVE-2022-42475 CVE-2022-24847 CVE-2021-26855 Botnet CVE-2021-29203 CVE-2021-25003 CVE-2017-11511 CVE-2017-11512 Boot or Logon Autostart Execution (T1547) CVE-2007-3010 Unix Shell (T1059.004) EDB-43055 Threats CVE-2019-18935 CVE-2021-34473 CVE-2021-32172 CVE-2018-13379 CVE-2014-2321 CVE-2021-25369 CVE-2020-9757 Layer 7 - Application Service Stop (T1489) Layer 5 - Session Brute Force (T1110) Create or Modify System Process (T1543) Vulnerability Scanning (T1595.002) CVE-2021-28481 CVE-2021-44228 CVE-2020-5902 CVE-2021-21985 CVE-2017-12149 CVE-2022-47945 Remote System Discovery (T1018) CVE-2019-9670 CVE-2018-20062 CVE-2022-1040 Commonly Used Port (T0885) CVE-2020-0618 CVE-2022-41040 CVE-2017-1000226 Encrypted Channel (T1573) CVE-2018-20463 Layer 3 - Network CVE-2020-25213 CVE-2021-40539 Exploit Public-Facing Application (T1190) Warfare Layer 6 - Presentation Implant Internal Image (T1525) CVE-2021-26084 CVE-2018-0296 CVE-2019-2767 CVE-2021-26086 CVE-2023-1389 Exploitation of Remote Resources (T1210) Password Guessing (T1110.001) CVE-2019-12988 CVE-2019-12987 CVE-2022-0885 CVE-2023-25157 CVE-2020-24949 CVE-2015-8813 CVE-2017-9841 CVE-2020-28188 CVE-2021-33357 CVE-2020-25078 CVE-2014-2908 CVE-2021-27065 CVE-2014-9792 Launch Daemon (T1543.004) EDB-51677 CVE-2020-3452 CVE-2020-25506 Obfuscated Files or Information (T1027) Network Denial of Service (T1498) threat hunting CVE-2014-6287 CVE-2021-23394 CVE-2020-11625 Command and Scripting Interpreter (T1059) NETGEAR-MOZI CVE-2015-4074 Masquerading (T1036)

Read More from F5 Labs

2023 Identity Threat Report: The Unpatchables
2023 Identity Threat Report: The Unpatchables
11/01/2023 report 80 min. read
Building DDoS Botnets with TP-Link and Netgear Routers
Building DDoS Botnets with TP-Link and Netgear Routers
05/22/2024 article 5 min. read
2024 Bad Bots Review
2024 Bad Bots Review
03/14/2024 article 15 min. read