A new cyber plague is spreading across the internet as Ballista botnet exploits unpatched TP-Link Archer routers, transforming them into malicious attack nodes. Leveraging CVE-2023-1389, a remote code execution (RCE) vulnerability, attackers compromise over 6,000 devices worldwide, turning everyday routers into cyber weapons used for denial-of-service (DoS) attacks, unauthorized remote access, and further propagation of the botnet.
The discovery of Ballista underscores the ongoing threat posed by unpatched vulnerabilities in widely used network infrastructure. Once a router is compromised, it is enslaved into the botnet, allowing attackers to execute arbitrary commands, steal data, and launch large-scale cyberattacks. Worse yet, the malware is under active development, incorporating TOR-based communication to evade tracking, making mitigation even more difficult.
Homes and Firms in the Hot Spot
Unlike targeted cyberattacks against specific industries, Ballista spreads indiscriminately, affecting both home users and corporate environments. The infections are heavily concentrated in Brazil, Poland, the UK, Bulgaria, and Turkey, but compromised devices have also been detected in the United States, China, Australia, and Mexico. Affecting Consumers and Enterprises Alike
• Home Users: Many home networks rely on TP-Link Archer routers, meaning thousands of consumers unknowingly have infected devices acting as part of the botnet. These compromised routers can be leveraged to spy on internet traffic, steal credentials, or launch attacks against other targets.
• Businesses and Critical Sectors: Organizations in manufacturing, healthcare, technology, and services are particularly impacted. Compromised routers in these sectors could jeopardize confidential data, disrupt essential services, or provide hackers a foothold into corporate networks.
• Government and Infrastructure: The spread of botnets like Ballista raises concerns over their potential use in cyber warfare, as attackers could use infected devices to target government agencies or critical infrastructure providers.
The consequences of Ballista’s infection extend beyond individual devices—each compromised router acts as a relay point, allowing cybercriminals to scale their operations.
Injection Robot: How Ballista Spreads
Ballista operates by exploiting a command injection flaw in TP-Link Archer AX-21 routers, granting attackers remote control over affected devices. The attack follows a structured multi-stage infection process:
1. Initial Exploitation via CVE-2023-1389
• The botnet exploits a high-severity RCE flaw in TP-Link routers, first identified in April 2023.
• Vulnerable devices allow attackers to execute arbitrary shell commands remotely.
2. Malware Dropper Deployment
• A malicious shell script (“dropbpb.sh”) is injected into the compromised router.
• The script downloads and installs the Ballista malware for various system architectures, including mips, mipsel, armv5l, armv7l, and x86_64.
3. Establishing Persistence and Control
• The malware creates an encrypted command-and-control (C2) connection using port 82.
• Attackers can now issue remote commands, run scripts, and manipulate system settings.
4. Expansion and Self-Propagation
• The botnet scans the internet for other vulnerable TP-Link routers.
• It reuses CVE-2023-1389 to infect additional devices, rapidly expanding its footprint.
By leveraging an existing vulnerability and implementing self-replication techniques, Ballista can autonomously grow without direct intervention from its operators.
Ballista’s Arsenal: Capabilities and Commands
Once inside a network, Ballista functions as a multi-purpose cyberweapon, granting attackers near-unlimited control over compromised routers. Key functionalities include:
• Flood Attacks: Triggers denial-of-service (DoS) attacks, overwhelming targets with massive traffic floods.
• Exploitation Module: Uses CVE-2023-1389 to spread further, continuously infecting new routers.
• Remote Shell Execution: Executes Linux shell commands remotely, providing attackers full control.
• Persistence & Concealment: Deletes logs, erases traces of its activity, and removes competing malware infections to ensure it remains undetected.
Jamming Its Circuitry: Countermeasures
With Ballista actively evolving, shifting to TOR-based communication for stealth, and continuously infecting new devices, proactive security measures are essential to neutralize the botnet threat.
Immediate Actions to Mitigate Risk:
• Patch TP-Link routers immediately and update firmware to prevent exploitation.
• Disable remote management on home and corporate routers to reduce exposure.
• Monitor network logs for unusual activity, such as unauthorized shell executions.
• Isolate infected devices from corporate networks to prevent lateral movement.
• Enforce Zero Trust security models and restrict administrative privileges to limit attack vectors.
By securing home and enterprise routers, organizations and individuals can prevent their devices from becoming part of a growing botnet army. Ballista is not just a threat to its direct victims—it is a tool that cybercriminals can use for global-scale attacks.
Comments